During the COVID-19 pandemic, the cybersecurity vulnerabilities and risks companies face have increased. People are working from home, utilizing networks and devices that are often less secure than those found in the office. And the degree of stress caused by a crisis such as this makes it more likely that the average person could make behavioral mistakes when online, according to FoxPointe Solutions, an information risk management firm and Mower client.
As concerns about data breaches increase, so do fears of corporate reputations being damaged. Mitigating or, ideally, preventing short- and long-term negative impacts to a company’s reputation falls to the company’s crisis communications team.
The overarching goal when communicating about a data breach or other cybercrime is the same as in any crisis: to get the company back to business as usual as quickly as possible. Achieving that objective is largely based on what a company does during the earliest stages of a crisis.
While each situation must be handled differently and there is no one-size-fits-all approach to crisis communications strategy, there are several guidelines that should be followed when a company confirms a data breach has occurred:
- As soon as you have all the facts, notify all customers, regardless of whether their data was exposed, that a breach occurred.
- Legal and/or regulatory requirements of what you must report should be the minimum information you disclose; think about what you would want to know if a company you do business with was breached and provide information accordingly.
- Explain the steps that have been taken since the incident was discovered, especially when customers were notified and what the company has done to limit similar events from happening again.
- Make it as easy and fast as possible for customers to get information, such as a section on the website or a phone or chat hotline.
Ensuring that these and other communication actions are effective requires strong key messages and a strategy for delivering them. Remember that during the COVID-19 crisis anxiety levels have increased and people are feeling vulnerable. Your communications need to take that into account.
What are the most important points to convey about what happened? What’s the right timing and sequence for communicating with different audiences? Which paid, earned, shared and owned media should be used to communicate? These critical questions and more should be addressed through a crisis communication plan.
The cybersecurity risks and vulnerabilities that always exist for companies and employees are, unfortunately, more acute as the COVID-19 crisis continues. Regardless of the timing and circumstances around a data breach or other cyberattack, a strategy of strong, transparent communications is necessary to move from being a company in crisis to business as usual.