“A data breach itself is the second worst possible event which can occur in an organization; the mismanagement of the communication about the response is the worst.”
– Exabeam chief security strategist Steve Moore
The Activ Consulting Group’s Jane Brust gave a presentation on crisis communications in a data incident to a gathering of IT and IT security professionals last week at the SoCal HIMSS Cybersecurity Forum. Following are highlights of the talk. For a complimentary copy of the complete presentation, email Jane@activcg.com.
Goals to Guide Your Crisis Communications
- Preserve the organization’s reputation by acting and communicating promptly.
- Provide information allowing those affected by the incident to take action in their own self-interest.
- Provide information in compliance with regulatory requirements.
Tips for Effective Crisis Communications
- Notify Executive Leadership immediately.
- Develop Key Messages upon which all communication will be based: employee messages, customer letters, news releases, talking points for interviews, etc.
- Communicate early and frequently as updates are available.
- Keep the communication brief and use simple language.
- Express regret that the incident occurred and accept responsibility for ensuring IT security going forward.
- Employees are a key audience with any crisis communication because their understanding and support is essential—they are ambassadors for your organization.
- Use a reassuring tone.
- Consider a hotline to answer questions.
- Move quickly from investigation and action on the incident to education about what is happening to improve cyber security and prevent a future incident.