“A data breach itself is the second worst possible event which can occur in an organization; the mismanagement of the communication about the response is the worst.”
Exabeam chief security strategist Steve Moore

The Activ Consulting Group’s Jane Brust gave a presentation on crisis communications in a data incident to a gathering of IT and IT security professionals last week at the SoCal HIMSS Cybersecurity Forum. Following are highlights of the talk. For a complimentary copy of the complete presentation, email Jane@activcg.com.

Goals to Guide Your Crisis Communications

  • Preserve the organization’s reputation by acting and communicating promptly.
  • Provide information allowing those affected by the incident to take action in their own self-interest.
  • Provide information in compliance with regulatory requirements.

Tips for Effective Crisis Communications

  1. Notify Executive Leadership immediately.
  2. Develop Key Messages upon which all communication will be based:  employee messages, customer letters, news releases, talking points for interviews, etc.
  3. Communicate early and frequently as updates are available.
  4. Keep the communication brief and use simple language.
  5. Express regret that the incident occurred and accept responsibility for ensuring IT security going forward.
  6. Employees are a key audience with any crisis communication because their understanding and support is essential—they are ambassadors for your organization.
  7. Use a reassuring tone.
  8. Consider a hotline to answer questions.
  9. Move quickly from investigation and action on the incident to education about what is happening to improve cyber security and prevent a future incident.