By Eden Gillott Bowe:
When you face a cybersecurity threat, employee and public confidence are critical for your business to survive. You must remain calm and handle even the most serious ones with grace.
Don’t make failure an option. Learn how to communicate when times get tough.
FIRST CIRCLE: OH. NO!
“I have no idea what’s happening. Who should I call?” Ron Burgundy from Anchorman had it right — when you’re called to action, you can’t do it alone. While you don’t have to literally sound alarms or yell out, “Crisis Team, assemble!” you need to know who’ll be by your side in case of an emergency.
It’s ideal to have your team established before there’s an issue. But let’s be honest: Establishing a Crisis Team probably isn’t high on your company’s 2018 To Do List — if it’s there at all.
Besides your high-level executives, some of your important superheroes include: an attorney who specializes in privacy and cybersecurity because laws and requirements are evolving constantly; the head of your IT department who’s comfortable handling high-stakes security issues (if he isn’t, you need to have an IT security consultant on speed-dial); and an insurance agent who’s familiar with your cyber insurance policy.
SECOND CIRCLE: NOW WHAT?!?
“My team is figuring out what’s going on. What should I do?” Take a deep breath. Your team is doing what they’re awesome at. Your job is to follow their professional advice.
“Okay. More information is coming in. What, when, and how should I tell people?” If it’s business as usual: Don’t unnecessarily alarm your employees or clients. You don’t want to cry wolf, but you also don’t want to take your cues from Yahoo! Once you know the scope of the breach and that disclosure is required, the sooner you communicate the better.
If everything seems to be going wrong and nothing is functioning properly: You need to reassure your employees and clients ASAP. Both groups need to know what’s going on, and they each have different concerns. Understand where they’re coming from, and tailor your messaging accordingly.
You’ll need to be ready to answer: What’s going on? How does this affect me? How did you let this happen? What are you doing to fix it? What does this mean for me in the future?
Your employees are frustrated. On top of possibly being unable to do their jobs, they’re receiving angry and/or panicked emails and phone calls from clients. If you don’t communicate and reassure your employees, you run the risk of them venting their frustration to clients about the way you’re mismanaging the crisis. Treat your employees with respect, and they’ll be your best advocates.
Your customers need to be reassured that their information is safe and that you’re working faster than you thought humanly possible to restore peace and order to your company’s universe.
How you deliver these messages depends partly on legal requirements and partly on personal touch. If you’re required by law to send a letter, you send a letter. If your company is customer relations focused or relationship driven, then reaching out to clients on a more personal level in addition to sending a legally required letter makes a world of difference. Think about how you’d want to be treated if you were in their shoes.
“Is there anything I should or shouldn’t say?” Choose your words wisely and be reassuring.
Never lie because the truth tends to find a way of revealing itself. Don’t accidentally feed into people’s fears by speculating because they may take what you say as fact (which may expose your company to legal liability). Don’t mislabel a “security event” or “security incident” as a “breach.” “Breach” is most commonly used but is often inaccurate. They mean different things and have different legal disclosure requirements.
THIRD CIRCLE: PHEW! THE WORST IS OVER.
“Who should be the spokesperson?” It depends on the severity, who’s qualified and credible, and who’s comfortable speaking on the company’s behalf. If your spokesperson is qualified and credible but lacks comfort, you run the risk he may get flustered and cause more harm than help.
Larger companies have more options: the media relations person, CEO, head of security, or general counsel can be good options. Smaller organizations may opt for using their privacy and cybersecurity attorney because they’ll know what to say to keep you out of legal hot water.
“A reporter is asking to speak with me? Can’t I just dodge their calls or tell them ‘No comment.’?” Of course, you can … but is that really the best option? Before you decide to brush off the media, consider the following:
- How will your company look if a negative story filled with speculation, rumors, and misinformation runs and the only thing representing your company is “So-and-so at Company 0101 could not be reached for comment.”?
- What do you think when you read a story about nasty allegations and the person being accused says, “No comment.”?
- Would you like to correct misinformation about your company before it gets published and shared?
Receiving a call from the media can feel scary and threatening, but it doesn’t have to be. There’s always something you can say or do to make the situation better.
Your spokesperson needs to be armed with correct information and prepared with talking points. Stepping in front of the media armed with partial or misinformation is the fastest way to torpedo your company’s credibility. (The talking points should be approved by legal, of course.)
Working with the media doesn’t end with your designated spokesperson. Make sure all of your employees understand the importance of having a single spokesperson who’s responsible for delivering accurate information. All the spokesperson training in the world won’t do you good if your employees don’t know who to point the media towards.
A good policy is to train your employees to say, “The best person for you to speak to is [name of designated spokesperson].”
FOURTH CIRCLE: PREPARING FOR THE FUTURE
“I never want to go through that again.” Completely understandable. Good news: If you learn from this and make the necessary adjustments, you’ll be more adept if you ever face another cybersecurity issue in the future.
Before you set your Crisis Team free, review what worked and what didn’t. You may also wish to include key employees who were on the front lines and customers you trust to get their perspectives. The sooner the better because time has a funny way of blurring memories of events.
Remember: Don’t just gather the data. Use it to make improvements to your business.
Eden Gillott Bowe is president of Gillott Communications, a crisis and reputation management firm based in Santa Monica, Calif. She has written for the Los Angeles Times, Wall Street Journal, NPR, Washington Post, Forbes, Disaster Recovery Journal, and Security Magazine. She is a former business professor and author of “A Board Member’s Guide to Crisis PR” and “A Lawyer’s Guide to Crisis PR”. She can be reached at email@example.com.