Managing the fall out of a data breach is a team effort, making communication vital. Every employee with an email address can be targeted by increasingly sophisticated phishing scammers – making the protection of an organisation’s data the responsibility of everyone, not just the IT department. High profile cases such as Yahoo, Equifax and more recently MyFitnessPal tend to dominate headlines, but smaller businesses are at risk too. 61% of breaches in 2017 happened to businesses with under 1,000 people according to Verizon Data Breach Investigations Report, therefore it is imperative that every organisation of any size is ready to manage a breach when, not if, it happens.
The crucial first step should be taken before a cyber attack has even happened. Communication can become difficult when ransomware has blocked access to email, so having incident management conversations before a breach happens can help facilitate a swifter response. Channels of communication need to be open between IT, HR, legal, financial and customer service departments as a part of preparing for a breach. Having a cross-department team with clear leadership ready to deal with a cyber attack is the best way to ensure a successful response.
However, planning for a breach is not always enough. When your cyber defences have been compromised, communication is still the most valuable tool to make sure your best laid plans do not go awry. Again, without access to emails, you will need to ensure that you have an independent channel of communication and access to the details of everyone you need to get in touch with, both internal and external contacts (suppliers, third party IT specialists, clients etc).
Once the facts have been established and shared with employees and the technical steps of disaster recovery are underway, the next phase of managing the breach is communication with the outside world. GDPR comes into effect this May, and introduces “a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.” Failure to notify the ICO of a breach can land you with fines of 2% of your global turnover or €10 million, so missing this key piece of communication could be a costly mistake. Also set out in GDPR is the need to communicate the breach with all of your stakeholders, customers and whoever else may have been affected.
The goal when alerting people of the data breach is to give apologetic, honest communication with your organisation’s wider community of customers and stakeholders. Take responsibility, be transparent about the steps you did take and are taking to minimise the damage and be an active presence in the media, including social media. All of these steps are, of course, much easier and smoother if they have been pre-planned and the resources (i.e. press statements) shared with all staff according to a communication plan.
Although no plan is ever perfect, and cyber attacks are increasingly engineered to get past our careful planning, communication plays an all-important role in managing every stage of a breach. The best incident management happens long before the incident does. Clear, fast communication is the key to ensuring your people are empowered to give an effective, professional response that could protect your reputation and assets following a breach.
YUDU Sentinel is an app based crisis communication platform for the management of fire, terrorist and cyber attacks, or any other critical incidents. Crisis managers have immediate access to an independent two-way communication (SMS, voice, email and in app messaging) and can view key documents on mobiles. Sentinel is a cutting edge crisis management tool. Find out more at www.yudu.com/sentinel or contact us on Twitter @YUDUSentinel.