There is almost a stock headline these days which is trotted out whenever a major company is targeted by hackers.
A Google News search for ‘data breach’ in the last 24 hours alone throws up almost 120 news stories, including 100 million Americans just had their personal information leaked in the massive MC2 Data breach; PSNI data breach: Attempt to agree on compensation amount; Dell Data Breach Leaves Info of Over 10,000 Employees at Risk; and IBM: Data Breach Impact Drives Costs to New Record Highs.
While customers and employees have a right to expect their data to be protected, it seems that the finger of blame points all too quickly at the company itself rather than the criminals themselves.
“Sadly, the media narrative is still one of ‘organisation X admits to data breach’ rather than ‘hackers strike again, when will this crime be stopped?’” Ian Thatcher, CEO of strategic communications consultancy Robots & Humans, tells BusinessCloud.
“The press seem to play the role of persecutor, where the dynamic and language is very much placing the organisation that has been hacked as the negligent or offending party.”
London-based Robots & Humans counts Aston Martin and mobile network non-profit the GSM Association among its clientele.
Thatcher advises businesses to take proactive steps so if the worst was to happen, everyone would understand the next steps to take.
“Have a pre-existing plan in place for that moment when you lose control,” he says. “If the press beat you to the understanding of what you’ve lost and the potential impact, have that planned narrative ready to go.
“If the breach is sizeable and the organisation is of public interest, the phone will not stop ringing. Have a plan for this moment. Until then, remain open to all possibilities.”
However should a threat materialise over, for example, email, it is important to not jump the gun.
“Do nothing [immediately]. Sit and wait,” he advises. “Any awareness raised prematurely can exacerbate a situation. Establish what has been taken, and when.
“This should provide the level of threat and a potential bluff. From this you can consider your actions and determine the right strategy.”
Companies must balance transparency with the need to control the narrative and avoid panic among stakeholders following a cyber-attack, Thatcher adds.
“Firstly, look to your brand: positive brand sentiment and a measure of public goodwill should provide a cushion in such situations,” is his view. “The public are likely to be more empathetic towards a loved brand than a brand that is perceived to be ‘no good’.
“Don’t be afraid to condemn the situation and the actions taken; remember that it is likely that your organisation is a victim – unless some negligence or fraud has been exposed.”
In March 2023, Capita suffered a major cyber-attack which cost the UK outsourcing giant tens of millions of pounds. Thatcher says a lack of internal comms was at the heart of this loss.
“At the point where the internal team had no idea how to handle the attack, the CEO went to press announcing that their strategy would be a benchmark in how to handle a cyber-attack,” he explains.
“Internal communications should start immediately and be ever-present. The most common cause of a cyber-attack is an employee clicking on a phishing email. Use internal communications to create ‘good citizens’ and create a culture where clean data practices and preventative cyber security behaviours are ever-present.
“A high street food retailer used a part of their internal communications bulletin to name and shame people caught stealing from the store – including staff. This approach could be used for a data breach.”