By Naomi Eide, BizSmarts
Published in the Washington Business Journal
Sep 18, 2015
With security breaches popping into the news almost weekly, Susan Davis International works to find the best way to respond to the potential fallout. Vice president and crisis management expert Tom Davis, a member of the firm’s recently created cyber risk communications team, discusses how a targeted company can still at least protect its reputation.
What’s the first piece of advice you have for companies? You’re entering a relationship with a client somewhere along the continuum, from the planning and preparation side to the response side. I think anyone in the business will tell you that, ideally, you’re coming in on the preparation side. You’re really talking about doing the planning, evaluation and doing some sort of exercise to understand what the true capabilities are. Then, if and when there is an actual incident that occurs, then supporting the plan. Now that isn’t the way it always works, that’s the ideal way. Because when you get to the response side, a lot of what’s going to be done will be heavily dependent on what is done on the planning and preparation side.
Planning and preparation early on is key to how well a company responds later to a hack… more
When there is a compromise, what do you advise companies to do? There are essentially two parts that have to work in harmony here. One of them is the distinct technical response internally, which is not what we do. But the company, either using its assets or a vendor will be dealing with the breach to patch that. On our end of it, on the response side, basically the company needs to do the calculus about what the damage is and what its stakeholder universe is. Then look across that stakeholder universe to understand what the key concerns are of all those who have an interest in the company’s response.
What’s key in thinking about that? Effectively, what’s at stake here is the company’s reputation. How people perceive the company’s response will have a lot to do with the ultimate penalty that any given victim of a breach will have to pay. What you’re looking to do there as quickly as possible is understand what the key concerns are and start addressing those concerns on the communication side. This is really a critical component: You have to make sure what you’re saying is consistent with what you’re doing.
How should companies deal with the communications if they don’t want to share there was an attack? You really do need to make sure that you’re getting out in front of it. This is sort of a classic crisis management consideration. The underlying reality here is that, at some point, it is going to be apparent. Generally speaking, when a company is breached, the data suggests that it takes, on average now, nearly seven months for the company to discover the breach. Most of the time, it doesn’t discover it itself. The breach is brought to its attention by somebody from the outside, could be law enforcement. Ultimately, the accompanying reality here is that people are going to know about the breach, and it is going to get disclosed in some fashion.
So what should they do? The appropriate thing for a company to do is take control of the situation. You want to be in control and driving the messaging, rather than responding to it. Understand your responsibility to all your stakeholders is to do just that.
How should companies do this? Identify internally how responses are going to be handled, and set some policies. Typically, you’re going to identify the characteristics of an incident here, which is unlike others. If you’ve got information of value, you’re going to be the subject of recurring kinds of attacks. What you’re saying is, for us to respond, it has to cross this threshold. Part of the process on the front end of planning and preparation is to say, “Here is our threshold.” When an incident occurs and it has these characteristics and crosses that threshold, that’s going to mean our crisis management team is going to be brought to bear on this. All the internal procedures we have been practicing regularly, hopefully, will now kick in.
Is a cyber attack any different than any other crisis a company might face and need to respond to? There are two things that make it a little unusual. One is the usually distinctly technical aspect of it. You’ve got the wonkiness part of IT people where the language is not that which is generally available to other people in the organization. There’s sort of a chasm here that has to be crossed, that has to be bridged in some fashion so that the internal communication flow makes it really obvious exactly what’s going on. Because that, in turn, has to be part of the messaging that takes place on the other end of it.
And the other thing that differentiates it? There is a certain unknowability about the breach. If you have a classic crisis that’s driven by a natural disaster, for example, or you have an oil spill — any of the things you think about that constitute crisis for different kinds of organizations — there’s all this information you have going out in the early stages. But there’s more of a certainty to what it is and how it’s going to play out than when the crisis is driven by a data breach. The breach aspect of this, there is a certain mystery that accompanies that. When a data breach is discovered, the clock is ticking immediately but it is really unlikely that the companies will really, truly understand the scale and scope. There’s going to be the issue of attribution — and you’ve seen this play out multiple times — where attribution is difficult.
What could the Office of Personnel Management have done differently in responding to its hack? Frankly, the first thing that comes to mind with regard to OPM is the dripping of information in the aftermath of the attack. It’s a very slippery slope that you start on when you don’t reveal information at the beginning, which comes out in drips and drabs over a protracted period of time. That’s a little bit like Chinese water torture, and you end up seeing that the spotlight doesn’t go away. It continues, it actually grows ever hotter. In the end, the head of OPM loses her job over this and the job loss was driven, in my mind, less by the actual breach than by how the aftermath of their breach was handled.
What’s a better way to handle the communications then? Customers will be one of a whole range of audiences that you have to deal with. This is kind of driven by an understanding of what business you’re in and which of your stakeholders are most likely to have been affected. But, it’s basically a process in which you have to say: What are your critical interests and how is this incident affecting those critical interests? Then what do we need to say to them that essentially gives them solid information about exactly what’s transpiring here — together with the implications for them about what’s transpiring? If they are injured by this, what it is that we can do that will ameliorate the injury?
How about when you don’t know those implications? There’s probably not a situation in which it is perfectly knowable. But the dimensions of the implications are generally available relatively early on. It won’t be a complete picture, it’s a little bit like weather forecasting — if you look out over 30 days, it’s a little murkier. But near term, it’s a little more clear what we know right now. That has to be part of the message. You have to lay the groundwork for the possibility that you’re going to be coming out a second time around and saying that we have updated information, and this is what we have. And that’s not unusual. But it’s important that whoever is speaking on behalf of the organization is doing so in a way that inspires confidence in people. You know, that there’s a sense that this individual in the organization is being candid about it.
What are common mistakes that companies make when they’ve been hacked? The mistakes on the response side tend to be either being close-mouthed and reticent about response or being in denial about the implications about the response. Those are sort of classic kinds of mistakes. The other thing that happens with some regularity is you see organizations being very defensive about it. The other thing is the inclination to really portray themselves as victims. The whole victimology part of this is an interesting conversation.
What do you mean? Clearly, you’re being victimized by somebody. But if you’re holding, for example, personally identifiable information of a lot of your customers and now that’s been lost in the breach, they’re seeing themselves as victims. They’re not going to send a sympathy to you as a victim.
How you deal with losing customers as a result of a breach? I wouldn’t want to underplay the fact that you might lose customers. We know that customers have this set of expectations about what an organization is going to do. There was a study done that basically says about 90 percent of people who were victimized by a data breach felt that businesses have to notify customers immediately when their breach is discovered. Because that has not always been the case, there is reason to believe that customers will be disaffected. They may judge who they’re going to do business with based on their sense of how reliable the relationship is and how reliable this business is.
What factors might that depend on? This is all driven by what competition exists in the marketplace. If you happen to be like OPM, in which no one is competing for your services, it’s a slightly different premise. In the business world, if there is competition and your competitors are deemed to be more reliable and your response undermines confidence, then you can expect there is going to be some customer loss. That’s really why we’re so adamant that you need to establish your process and be able to get out and get in front of this unfolding event as quickly as you possibly can.
What’s an example of a company that handled its response well? Frankly, you can point out small flaws in lots of different responses, but I think, generally speaking, Morgan Stanley did a pretty good job in handling its breach. It was a significant breach, and they did a pretty good job. What you’re looking at is sort of the essence of how companies are resilient in the marketplace. Part of that is keeping your relationship, and that means communicating continually, and they do a good job ensuring there are aren’t lengthy intervals where people aren’t hearing from them and understanding what’s going on.
When is that most important? Particularly when the response is unfolding, it’s really important to communicate regularly, effectively. Anthem did a really good job in the beginning, in terms of getting out in front. Once they were breached, very quickly they were in the marketplace letting customers know about the breach. Then there wasn’t any communication, and they end up having the state’s attorney general going after them because it’s taking them too long to get back to their customers. It’s really critical that you live up to what you say you’re going to do.
How about a company that bungled its response? I’m reluctant to pile on here, but let’s take Target, for example. Target had this classic slow response where it seemed to be largely in denial about the nature of the breach and, frankly, its own responsibility. That rolled out over an extended period of time. Any number of lawsuits were filed against them. It ended up being dramatically unsuccessful in getting the suits thrown out, so it’s exposed to huge damages. The CEO loses his job — that’s sort of the classic, OK, but that’s probably not the way you want to do it.
What is most at stake for companies after a cyber breach? Really, the reputation. That’s what’s critically at stake once you’ve been breached. The fact that a company has been breached is hardly going to come as a surprise. We have this steady drumbeat of breaches going on. All you have to do is look to any news outlet on any given day and see something about somebody being breached someplace. But your reputation rides on the perception of how you’re responding to it.
What sparked your firm to start a cyber risk communications practice? It really was driven by the growing recognition that this was effectively an insoluble threat at the moment. There is no response that’s going to change the nature of the dynamic right now. So for the foreseeable future, companies are going to have to deal with this. It was apparent that companies were struggling with the whole aspect of the planning and preparation and what role is played by the board of directors. There were just so many moving pieces. Because of the work we do and the people we deal with, we decided there was a contribution we could make here that could be fairly significant.