Imagine one day you go into work only to discover that there has been a data breach. What do you do? If you work in the security team, you will be focused on finding out how it happened, understanding the extent of the damage, preventing if from getting worse and taking measures to stop it happening again. But what about the CEO who all of a sudden is thrust into the media spotlight and is expected to be an overnight cybercrime expert, with their every word scrutinised.
How this one individual acts at the time of crisis can have huge ramifications for the longevity and prosperity of business. This is exactly the situation the CEO of TalkTalk, Dido Harding has found herself in this week. Baroness Harding isn’t the first to deal with such a situation and she certainly will not be the last. However, if it is handled in the right way a business can come out stronger on the other side! Here is how you can play your part in helping the CEO.
Speak the CEO’s language
Typically a CEO is only going to show a keen interest in data security and cyber-attacks at the point at which the organization has fallen foul. And the chances of a cyber-attack happening could be more frequent than first thought. It is known that an attack can occur every 39 seconds, with 60% of small businesses having to close if they suffer from one themselves, (click here for more statistics). However given the right planning, access to resources, and investment the risk can be mitigated. So, the first tip is to speak their language – money and share value. In the wake of the TalkTalk incident the share price took at 6% knock and the fear of that type of news is something that will keep every CEO up at night. People who look into investing (be they the kinds to use SoFi or other services for this) care about these figures greatly.
Take advantage of the current headlines in the media to prompt an open board-level discussion about how your organisation would cope and work together to put a crisis communications plan in place. More importantly, take the opportunity to review the systems and processes you have and be ready to ‘pitch’ for what you need to mitigate the risk of a breach or attack. After all, a drop of a few percentage points can cost the company tens of millions and you will only be asking for a tiny fraction of that.
Be preventative, proactive and pre-emptive
Instilling trust in your stakeholders is crucial. It can seem like a good idea to try and contain and resolve the issue without raising alarms bells internally, but depending on the scale and type of the incident, that is a very risky business. The best advice is when a breach or attack has been discovered don’t sit on it. The marketing and comms team needs to be able to control the flow of information that they give to employees, customers, shareholders and the media and they can only judge what the appropriate response should be (if any) if you are candid with them.
If you wait too long and the incident is ‘exposed’ in the public domain then you are automatically on the back foot fending off claims of cover-ups, neglecting customer confidentiality, not taking security seriously etc.
Keep the lines of communication open and the chain of command clear
It is important that the right people are confidentially briefed as quickly and fully as possible, so that they can process and take the appropriate course of action. When a breach is discovered there is no point in playing the blame game, there will be plenty of time after the event to access what went wrong and why. Be clear and explain:
- What has happened (don’t use IT jargon)?
- How it happenened?
- Whether the situation has been rectified and if not when.
- The extent of the breach and the best and worst case ramifications.
- What you have done so far, what you are doing right now, what will be done in the future and the impact your actions are likely to have on it happening again.
Share ideas and innovations and don’t be afraid to implement them
Despite your best efforts, if you find yourself in the midst of an incident, it might not seem like the best time to be discussing new initiatives that you have in the pipeline, but this might just be the silver bullet the CEO needs as action always speaks louder than words. Telling people you are sorry is important, being open and honest about the situation is vital, but being able to show that you have learnt from the situation and you as an organisation and your customers will be better protected in the future as a result is where the real difference can be felt.
For example, take a look at many of the recent data breaches and you will find that passwords are often the element that leaves an organisation exposed (although not in the case of TalkTalk). Either the passwords and account details have been lost, stolen or leaked, or a password was hacked to gain access to the system.
So imagine giving the under-fire CEO the opportunity to stand in front of the cameras and say that they have taken the decision to replace passwords with a new and more innovative type of security.
Now the headlines are about the bold and visionary company that has learnt from its mistakes and is leading the way. A negative has become a positive and even an opportunity to gain new customers.
As Baroness Harding said: “Cyber-crime is the crime of our era, of our generation, every single company in the world probably isn’t spending enough money on it – we are not the only ones.” In many respects what she is saying is true, but it isn’t a defence and small comfort to those customers who are left feeling vulnerable. Furthermore, the correlation between spend and security isn’t necessarily accurate, as we all know of organisations that spend a lot of money on systems and solutions that are no longer up to the task. However, every single company is at risk and they all need to be ready to respond.