(Special thanks to Sandra Fathi of Affect for her time and insights, as well as Cyber Security Chicago for their assistance. Please check out yesterday's interview with Marcin Kleczynski and our preview of Cyber Security Chicago with David Juniper)
When a cyber attack strikes any private or public organization, several key strategies need to be in place: securing data, modifying internal procedures, and crisis communication. Whether your organization is a nonprofit dealing with a breach of donor information or a private company handling sensitive financial information, you need to have an overall strategy. Late yesterday afternoon, Sandra Fathi of Affect discussed Managing a Hack: Orchestrating Incident Response to Preserve Brand Reputation for Cyber Security Chicago. We were able to talk with Ms. Fathi around communication issues, and we're providing a preview of her talk.
As Ms. Fathi explained in our discussion, other types of crises (such as hurricanes, politics, and negligence) often have clear patterns of progression. Communicating these issues takes strong coordination, collaboration, and a clear sense of the issue. However, crisis communication for cybersecurity issues involves dealing with multiple unknown issues like the source of the breach, the hacker involved, or what is being done with the hacked data. However, data breaches are such a regular occurrence that most people are receiving one to two notices a month informing them of a data breach and there is less of a negative perception than a few years ago. Consumers tend to have a higher level of forgiveness, understanding, and a willingness to move on.
However, many organizations share a common error when dealing with a data breach: a lack of internal communication. If an IT professional finds a hole while monitoring an organization's network, servers, and data, they may opt to simply "fix" it without communicating that result to other departments. As a result, internal departments may not be aware that a breach has occurred due to the lack of communication. It may also be determined that this incident may not have risen to the level of warranting public disclosure and may result in various organizational departments forgetting a critical communications piece.
(Thankfully, there are now laws in most states about data breach disclosure, but in some cases, what could be a potential breach can potentially be seen as merely fixing a problem. The end result is that an organization may be found to be noncompliant with legal requirements around data breach disclosure).
However, Ms. Fathi outlined some preventative measures for nonprofits, social enterprise, and other mission-driven organizations for handling these types of crises. (Organizations need to act as if data breaches are not a question of if they happen but rather when they happen). There are four "R"s when dealing with cyber attacks:
- Readiness - Preparation and monitoring for data breaches (even with simple tools like social media and Google alerts), but also anticipating potential threats/crises, discussing appropriate actions, and mapping out a crisis plan. As Ms. Fathi assured me, "The better you plan, the faster you respond";
- Response - Determining how internal communication will work during such a crisis, focusing on what and how;
- Reassurance - Informing customers/clients what had occurred and executing the crisis plan; and
Developing a crisis communication plan around data breaches should be a part of any business function (which includes nonprofits and social enterprise organizations). Ms. Fathi advocated that having a plan in place should not only be part of an organization's best practices around communications, but it should be updated on a regular basis. This plan is as much internal as it is internal, and organizations should engage their own employees about how to share information with the public and social media, emphasizing that all inquiries need to go through management.
Crisis communications around data breaches are never easy, but thanks to Sandra Fathi's insights, nonprofits and social enterprise have a greater insight into how to proceed.
Tomorrow's post will focus on another great speaker from Cyber Security Chicago, and we hope you'll join us then.