Plugging the breach: responding to a cyber security crisis
No matter how big your organisation is, and how refined you think your IT security is, it seems there are equally well-resourced and sophisticated hackers working to crack into your system.
With the increasing use of cloud-based systems, online apps, social media and the drive for “big data” platforms – all designed to share information sharing – cyber security is a topical subject for all businesses.
We’ve seen banks, retailers and even a website called Ashley Madison fall victim to hacking. The resulting data breaches, phishing scams, system hacking, as well as accidental and intentional releases of confidential information, represent real and significant threats to any organisation.
The fallout from a breach can include legal and financial issues – but equally if not more importantly – it can have a monumental effect on stakeholder relationships and perceptions. Brand trust can be destroyed and clients can be lost.
While the IT department focuses on doing its best to thwart hacking efforts, communications professionals need to turn their attention to having a data breach crisis management plan.
While this plan will have the same elements as any other crisis management plan, including clearly defined roles and responsibilities for each crisis management team member, there are key differences.
Firstly, it’s important to note that the Australian Government’s Privacy Act regulates the handling of some personal information (such as that of your customers and clients). In addition, the Office of the Australian Information Commissioner oversees this legislation and can investigate potential breaches, regardless of whether you’re in the private or public sector.
Furthermore, the OAIC provides guidelines on how it prefers organisations to respond to potential data breaches. Adhering to these will help prevent further issues down the track.
While these guidelines address a number of areas, it does highlight OAIC’s preference for direct notification of affected or potentially affected parties, such as through emails, letters and calls, rather than via indirect communication, such as websites and social media.
It also makes it clear the sooner you contact affected and potentially affected parties, the better. It also emphasises the need for communication to be transparent and open so that those affected know exactly what has occurred, when it occurred, the data potentially leaked and how they should respond (eg change their log in details).
As with any crisis, a timely, coordinated and strategic response, ideally worked out before an event occurs, is critical to communicating with staff, media, regulators and stakeholders in the event of a security breach.