Words: Caity Dalby

Photography: Adobe Stock/Creative Commons

PR & COMMSTIPS FOR MANAGING UNPREDICTABLE DATA BREACHES

Data breaches can happen at any time, anywhere, and affect any

organization. So how can you ensure that you’re prepared to deal

with cyber attacks as and when they happen?

Having a defined, documented and well-distributed internal data breach communications strategy - supporting and enhancing the companies’ wider recovery plan - is key to managing an unpredictable cyber attack. A breach may be unpredictable, but how you react, communicate, and recover, shouldn’t be. And with Marriot International facing a fine of 123 million under the General Data Protection Regulation (GDPR) for failure to protect up to 393 global customer’s data during their 2018 data breach, cyber resilience is of paramount importance. [1]

INTRODUCTION

A BREACH MAY BE

UNPREDICTABLE,

BUT HOW YOU REACT,

COMMUNICATE,

AND RECOVER,

SHOULDN’T BE.

RESILIE NCE

Cyber resilience is defined as the ability of an organization or business to anticipate, withstand, contain, recover, and evolve after a data breach (The Chartered Institute of Procurement & Supply, CIPS). [2]

When approaching these principles of cyber resilience, they can be separated into three primary stages: Before, During and After. Planning an extensive communications strategy for each stage, while ensuring you have a cohesive plan that touches every point in the business, is the key to cyber resilience. How you utilize your PR and comms to manage an unpredictable cyber attack can be the difference between substantial fines and surviving a data breach with minor reputational damage.

We look at the Before, During and After stages in the process of managing an unpredictable cyber attack, with examples of the good, the bad, and the ugly in cyber resilience.

ANTICIPATE,

WITHSTAND, CONTAIN,

RECOVER, AND EVOLVE

BEF OREPreparation and Planning

Firstly, you need to define what a “data breach” means to your company. Every company is different in whose data it holds and how it stores that information. There needs to be a definitive idea of what a data breach or cyber attack looks like for your company and a company-wide understanding before you can plan your withstand, contain,

recover and evolve strategy.

Once that is clear, a strategy needs to be built and put in place. This includes conducting simulations, a plan for internal responsibility and management during the breach, and the curation of a wide-range of pre-written collateral. These will range from social media posts, marketing campaigns, press releases and general proactive PR outreach, and quotes or testimonials for key spokespeople. These are all of equal importance and none can work in isolation; only a holistic and wide-reaching communications strategy will be effective.

PREPARATION, PLANNING

AND PEOPLE

People

The human aspect of managing an unpredictable data breach within a company is paramount to the successof recovery.

First and foremost, there needs to be an acceptance at all levels that despite all the preparation and planning in the world, you may still be targeted and suffer from a cyber attack. No one is invincible or impervious.

Second, clear planning needs to take place with a broad range of stakeholders. This includes the CEO, CMO, Head of Communications, and beyond. Key decision makers should plan a strategy in advance, matching responsibilities to those who can take action, and outlining how these plans compliment the wider communication strategy. This ensures a brand’s reputation and values are upheld and that consistent messages are delivered across channels.

THERE NEEDS TO BE AN ACCEPTANCE AT ALL LEVELS THAT DESPITE ALL THE PREPARATION

AND PLANNING IN THE WORLD, YOU MAY STILL BE TARGETED

MYFITNESSPALOn March 25th, 2018, 150 million MyFitnessPal

customers had their accounts hacked and personal details stolen in a cyber attack on the sports giant - usernames, email addresses, and passwords were compromised. The parent

company, Under Armour, stated that they became aware that “an unauthorized party acquired data associated with MyFitnessPal user accounts” in February 2018, a month before the public announcement. [3]

MyFitnessPal are a prime example of inadequate preparation, despite their initial seemingly adequate response. They not only failed to notice that their systems had been hacked for an entire month, but they had neglected to prepare or implement a plan for how to effectively deal with a cyber attack. They didn’t have a way to ensure that their customer’s data would be protected post-data breach.

This has come to a head, as it has recently become apparent that some of the hacked data has become available to purchase on the Dark Web a year after the data breach. [4] In a report from The Register, the hacked data from MyFitnessPal is on sale, alongside credentials from 15 other websites and apps, for less than $20,000 in Bitcoin. [5]

Despite minor encryption of passwords and MyFitnessPal’s instruction to its customers to change their passwords, the selling of these details could cause issues for people who reuse passwords across multiple websites. The ramifications of the MyFitnessPal data breach aren’t as far reaching as others, however the sheer scale of the cyber attack and the continuing problems that are arising display an internal lack of forward planning.

DURINGControl and Contain

As you work to control and contain an unpredictable cyber attack, there needs to be an admission of clear liability and acknowledgement of responsibility from media-facing spokespeople. Saying sorry, and knowing when it’s appropriate to say it, is incredibly important. And as enquiries and press coverage increase during incidents, it’s important to move away from solely reactive action and be seen to be proactive.

As Jon Sellors, Head of Corporate Comms at LV=, says you should “Remember the 3 Rs - recognize, regret and resolve.”

When in the midst of a data breach clear lines of communication are crucial to ensuring

important messages aren’t missed and the organization is responding in a timely fashion. This is as much the case with the acknowledgement of liability from the company’s spokesperson/people, as it is with messaging on social media channels and the website.

As such, you need to have tight control over your communications channels. This includes stopping scheduled communications in the form of press releases and marketing campaigns, and making sure multiple people have access to the businesses’ social media accounts.

When communicating messages during a data breach, it’s important to consider your audiences, the social media channels they use, the type of content they respond to, and what they will be expecting in this situation. Maximizing your reach in this way will encourage engagement and awareness; while connecting with your audience in a professional and reassuring manner will help contain the fallout of the data breach. It’s important to be aware and mindful of the feelings of customers that have been directly impacted by the data breach.

It’s also key to consider time-zones and out of hours support as the flurry of activity and messages won’t stop when your standard operating hours end. And if a crisis begins out of hours, or surfaces in a different time-

zone to your company’s HQ, there needs to be a backup plan. Having a contingency plan for when your workforce goes home for the day should not be overlooked: organize employees to take shifts, provide on-the-go resources so employees can continue to work at home, or bring in outside support.

Another aspect of the control and containment period of managing an unpredictable cyber attack is the ability of your website to handle a dramatic spike in traffic. Websites often see a rise in visits once a data breach has been announced publicly and reported in the press, as members of the public look to official channels for answers. Ensure all information is up-to-date by setting aside a plan of action to bring in more resources. Factoring in time for training and providing additional equipment is useful.

In the same vein as providing adequate resources, technical competence within the business or a detailed plan for outsourcing technical support needs to be in place. Recovering quickly, with as little reputational damage as possible, is unlikely if you don’t have the fundamental technical competence to fix what led to the data breach in the first place and to implement a multi-channel PR and communications strategy.

CONTROL, CONTAIN

AND MONITOR

SAYING SORRY

AND KNOWING

WHEN IT’S

APPROPRIATE

TO SAY IT, IS

INCREDIBLY

IMPORTANT.

“REMEMBER

THE 3 RS -

RECOGNIZE,

REGRET AND

RESOLVE.”JON SELLORS,

HEAD OF CORPORATE

COMMS, LV=

UTILIZING A MEDIA MONITORING AND

REPUTATION MANAGEMENT PLATFORM,

SUCH AS SIGNAL A.I. CAN AUTOMATE

THE MONITORING PROCESS AND ALLOW

YOU TO RESPOND TO MEDIA COVERAGE

IN REAL-TIME.

As previously mentioned, it’s important to be truly global with your cyber resilience plan and media monitoring during a data breach. With cyber attacks hitting companies globally, out of hours, in a different time zone to HQ, or focused on a specific regional part of a business, the reach of your media monitoring needs to extend beyond English language news sources.

The Signal A.I. platform accurately categorizes, translates and extracts intelligence from over three million media sources a day and surfaces the relevant information in real-time. You should invest in a media monitoring tool that provides you with an invaluable global outlook and head start when dealing with media fallout during and after a breach.

Monitor

Staying informed during any kind of crisis,but especially during a public data breach, is essential. Knowing who is talking about you, the press you’re receiving, and the sentiment of that press, can make all the difference in the outcome of your recovery process.

Utilizing a media monitoring and reputation management platform, such as Signal A.I., can automate the monitoring process and allow you to respond to media coverage in real-time - a must in the modern 24-hour news cycle. The Signal A.I. platform mirrors the established workflow of a business, automating media monitoring, reporting and analysis, to free up time for key stakeholders and spokespeople to focus on making informed decisions in the cyber attack recovery process.

A great example of efficient and effective control and containment of a data breach is the 2011 cyber attack on SONY’s PlayStation Network. The data breach is viewed as the worst to hit the gaming community of all-time. It impacted 77 million PlayStation Network accounts, and out of these accounts 12 million had unencrypted credit card numbers. Hackers gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords.

The data breach hit SONY hard, with the website down for a month and estimated losses of $171 million. Despite the financial ramifications of this incident, it serves as a great example of corporate responsibility - knowing how and when to say sorry.

Like many companies that experience a data breach and the inevitable backlash that comes from it, SONY’s approach wasn’t without faults and imperfections. However, they knew when to take responsibility as a company, how to apologize, and which spokespeople had to take public liability. In a move that helped to save them from further reputational damage, SONY’s president and two senior executives stepped-up as media facing spokespeople to apologize publicly and accept liability for the data breach. [6]

SONY

IT SERVES AS A GREAT

EXAMPLE OF CORPORATE

RESPONSIBILITY -

KNOWING HOW AND

WHEN TO SAY SORRY.

AFTER

Once the dust has settled and media coverage has slowed, it’s time to learn from the experience, evolve so it is less likely to happen again, and understand why it happened to you in the first place.

Learn and Evolve

There isn’t a definitive step-by-step processto follow in the aftermath of a data breach. But once you’ve managed to withstand the initial cyber attack, you need to go back to the drawing board with the rare opportunity to shape and improve your processes. All of the following need to happen simultaneously for a business to truly come out of a serious data breach the better for it.

You need to re-prep and plan for next time. And don’t be complacent as there may very well be a next time. This involves evaluating what in your current strategy to manage an unpredictable cyber attack did and didn’t work.

You need to question everything the business did in reaction. Did you monitor the media being produced about you adequately enough to provide real-time, useful updates? Can you confidently claim that you effectively contained the damage through both reactive and proactive measures? Was your messaging about the data breach clear and informed? An outside mediator, moderator, or security provider may be necessary for this process as objectivity is hard to maintain.

Communicate

There also needs to be continuing and clear, key messaging about the breach in the aftermath. Companies’ need to proactively provide information on any ongoing investigations, the results of these, and further actions they are taking to ensure the data they hold is more secure.

With the implementation of GDPR in Europe and other data protection laws across the globe, including the US Federal Trade Commission Act, consumers are more acutely aware of their rights. They have a better and more informed understanding of how data protection and security works, the value of their information, and the consequences for businesses that do not comply. As a result, it’s absolutely necessary for you to not shy away from it, the press and your customers certainly won’t.

LEARN, EVOLVE

AND UNDERSTAND

Understand

In tandem with the above actions, as a business you need to define why you were the target for a cyber attack. This can be for a multitude of reasons, but defining why you were targeted will be invaluable information to possess in the learning and re-planning process. And again, it is an opportunity to realign and direct the company in a different direction.

Businesses are either randomly targeted or chosen due to obvious (to cyber attackers) security flaws or for reputational reasons. In the case of Ashley Madison, the extra-marital dating site, it’s no surprise that it was reputation driven. If you determine that you were targeted because of the latter, you need to assess what you can do to change your reputation and public perception of your company.

THERE NEEDS TO

BE CONTINUING

& CLEAR KEY

MESSAGING ABOUT

THE BREACH IN

THE AFTERMATH.

YOU NEED TO

ASSESS WHAT YOU

CAN DO TO CHANGE

THE REPUTATION &

PUBLIC PERCEPTION

OF YOUR COMPANY.

Reputation is everything, especially when yours attracts “vigilante” hacking groups.

Ashley Madison, or The Ashley Madison Agency under the parent company Ruby Corp, suffered a massive security breach in 2015 that exposed over 300 GB of user data. This included users’ real names, banking data, credit card transactions,and secret sexual fantasies.

The vigilante hacking group, ‘The Impact Team’, demanded a ransom for Ashley Madison’s user’s data, as a punishment for the company not keeping the data secure. This wasn’t paid and the ramifications of the data breach were far reaching, impacting both the business and its users, leading to numerous “[r]esignations, divorces and suicides.” [7]

According to the Federal Trade Commission (FTC) complaint post-hack, Ashley Madison “had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.” [7] Part of the FTC settlement required that the company add “a comprehensive data-security program, including third-party assessments.”

In the years since the cyber attack, Ashley Madison have been quietly recuperating and evolving. They have by no means done a perfect job at post-breach recovery, but the intention is there. They have defined, and now understand, why they were a target - both reputational and ease of access. Importantly, they have put the groundwork in to repair their damaged business.

In a major change, Ashley Madison have realigned their central message.They now exist to help those in loveless/sexless marriages, those going through

divorce and illness. Ruben Buell, who became president and chief technology officer of the company in April 2017, made a point to publicize the security measures they implemented following the breach: two factor authentication, a bug bounty program, adherence to the NIST cybersecurity standards, a no-third party policy when it comes to user’s information, and new chief information and security officers.

“Security and discretion” were described among Buell’s key focuses for 2018.

This seems to have worked; by gradually rebuilding their reputation and focusing their efforts on regaining public trust they are reported to have “191,000 daily active users (defined as members who have exchanged messages) and 1.4 million new connections made each month.” [8]

Whether you agree with the platform or not, their bounceback after the data breach and subsequent success says a lot for their recovery and evolution.

ASHLEY MADISON

“ASHLEY’S CORE

DIFFERENTIATOR

IS DISCRETION.”RUBEN BUELL,

FORMER PRESIDENT & CTO,

RUBY (ASHLEY MADISON)

If handled incorrectly, data breaches can break a company financially, irreparably damage a reputation, or have devastating consequences for customers. And they can happen to any business. Curating and implementing a communications and PR strategy for managing an unpredictable cyber attack is paramount for a businesses’ survival of, and recovery from, a data breach.

By doing what you can to ensure cyber resilience through adequately anticipating, stoically withstanding, efficiently containing, effectively recovering, and evolving with humility, brands can safeguard themselves. And ultimately, and fundamentally more importantly, businesses can protect their customer’s data.

Bibliography

[1] Marriott to face $123 million fine by UK authorities over data breach, Tech Crunch (July 7th, 2019).[2] Cyber Crisis Management Plan for countering cyber attacks and cyber terrorism, The Chartered Institute of Procurement & Supply (CIPS), 2018.[3] MyFitnessPal: Notice of Data Breach, MyFitnessPal (March 29th, 2018).[4] Hacked MyFitnessPal Data Goes on Sale on the Dark Web—One Year After the Breach, Fortune (February 14th, 2019).[5] 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts, The Register (February 11th, 2019).[6] Sony bosses apologize over theft of data from PlayStation Network, The Guardian (May 1st, 2011).[7] Life after the Ashley Madison affair, The Guardian (February 28th, 2016).[8] Ashley Madison attempts to regain the public’s trust, engadget.com (March 29th, 2018).

Signal is the A.I. powered media monitoring

platform delivering strategic insights that

help you make the best possible decisions.

For more information email hello@signal-ai.com

or call us on +44 (0) 20 3828 8200 (UK and rest of world)

or +1 917 398 5931 (US).