Many organizations and governments have fallen victim to having their websites and internal communications networks hacked.
Last December retail giant, Target, fell victim to a data breach in which hackers broke into their point-of-sale system and obtained personal information and credit card numbers impacting 110 million customers. This was one of the largest data breaches in history and it exposed major shortcomings in Target’s crisis response readiness, which led to the recent departure of their Chief Executive Officer.
Business leaders should look closely at Target’s handling of this crisis and review their own readiness to handle a similar breach. There are several key learnings that are relevant to all organizations dealing with personal information.
Make a Plan
Businesses handle large amounts of personal data and need to be prepared for a data breach that could happen at any time. This means that organizations need a well-documented, pre-planned citizen response strategy before the crisis occurs. Once news of a breach gets out, response time for accurate communication is critical. Pre-planned scripts for all frontline personnel, social media strategies, PR and digital communications need to be in place, ready to be adapted to the specifics of the situation.
Have Emergency Notification Systems Established
Internal and external communications need to be deployed quickly and accurately across multiple media to alert individuals to the situation and provide detailed information on required actions. Standard email systems are insufficient to deliver this volume of information in a timely manner and ensure all citizens are informed. The senior official in the business must assume a high profile role in communications.
Appoint an Experienced Crisis Management Team
Organizations need crisis management leadership that has extensive data security expertise coupled with strong communications and public relations skills. A crisis of this scale is likely to impact every department within a municipality and the team composition needs to reflect that impact. Leadership includes the need for scripting and documentation to explain the situation to the public. The CEO or President needs to be seen as being in front of the event.
In cases of data breach, the true facts often take weeks or months to uncover. The exact number of impacted records and nature of the attack can take time to pin point. In Target’s case, early release of inaccurate information increased negative public response and significantly impacted the company’s reputation. Businesses must inform citizens when a breach has been identified, but they need to delay releasing exact numbers until the facts are clear. Communications should focus on what actions potentially impacted individuals need to take; once identified immediate notification to all customers must occur.
Follow Data Protection Best Practices
The vast majority of cyber-attacks exploit common vulnerabilities and can be avoided by employing basic network protection practices. In February, the National Institute of Standards and Technology issued a cyber-security framework that it developed jointly with representatives from 16 different industries providing a common template for corporate data security. Release of this framework, coming on the heels of the massive data breach at Target has captured significant industry attention. While there is no way to guarantee that your organization will be immune to a cyber-attack, the reputation damage will be far greater if news gets out that you hadn’t taken the proper precautions to protect your business.