If an individual or activist group broke into an organization’s office, raided confidential materials and then burned the building to the ground, local, state and federal officials would have swarmed the crime scene in an all out effort to bring the perpetrators to justice for an act of terrorism. Meanwhile, savvy online audiences and members of the media almost dismissively refer to the online versions of these raiders as “hacktivists,” conjuring up images of harmless school kids having fun pushing the boundaries of online security.
As we saw this morning with the Susan G. Komen Foundation website hack -– and again as “Anonymous Brazil” signaled they had successfully “taken down” the website of Brazil’s largest state bank — these groups are anything but harmless. One study from 2011 identified the average financial impact of these types of breaches to be just north of $7 million per incident.
Whether you are a respected non-profit with a decades-long track record, or a state-owned financial institution in Latin America, organizations must diligently prepare for inevitable online intrusions and the challenging communications demands that result. There are four key considerations for organizations seeking to retain credibility and confidence as trusted stewards of information before and after a breach.
Think Ahead and Anticipate
The best offense is often the best defense — and this is certainly true in the online security game. Every organization involved in any form of data (online contributions, email petitions, online sales, social gaming, employee data, etc) is vulnerable to attack. Smart organizations are using their pre-hack peacetime wisely to invest in a forensics security assessment and to address identified weaknesses. In addition to the technical diligence, organizations must ensure their corporate communications, IT and legal teams understand who will be responsible for managing breaches and have a well planned rapid response crisis program in place.
In the immediate aftermath of an attack, the lack of information can cause severe organizational paralysis. This paralysis hampers communications efforts, ultimately allowing external forces to shape the lens through which a response is viewed.
Identifying immediately what you know for certain and what you don’t know is critical. For example, organizations need to be prepared to address questions and concerns about the security of the system. Even though an activist may hijack a site to make a political point, it highlights a deeper potential for vulnerability that must be addressed.
Importantly, saying something does not mean saying everything. The rush to respond can have equally devastating consequences for the ill-informed and unprepared. Communicating what you know for certain and what you are doing to investigate — and even what you are still trying to determine — demonstrates responsiveness and transparency to stakeholders that rightly feel equally violated by the breach. Creating a direct response channel for those exposed — via an online registration system or a 24/7 call center — is another important sign of responsiveness. Total silence creates a vacuum of frustration that antagonists are only too happy to fill.
Know the Law
Every single state in the Union has separate reporting rules and regulations for what constitutes personally identifiable information (PII). These rules also govern when organizations that have been the victim of a breach must notify the public. Attempting to unravel this multi-state patchwork for the first time with your stakeholders, the media and law enforcement officials all demanding answers can be crippling.
Ensure that your team understands the regulations in each state — and country — you operate in, and make sure your compliance team is fully integrated with your communications team. Often, you will not be the arbiter of when to go public with news of your breach. The worst thing an organization can do from a reputational standpoint is to allow the narrative to shift from being the victim of an attack to the villain who failed to notify and protect those individuals whose data may have been compromised.
Remember, You’re Not Alone
In almost every case of online breaches, the “victims” number in the thousands — if not millions. It is not just the organization that has been violated, it is every employee whose social security number may have been exposed, every charitable donor who supported a cause, every business partner that shared data and every consumer who purchased a product. Keep these important groups informed and at the forefront of your communications efforts. They can be powerful advocates. Engaging quickly with local and federal law enforcement officials shows transparency and responsiveness — don’t be afraid to tell that story of cooperation.
In 2012, data will continue to emerge as the new form of global currency, and hacking will continue its evolution as the new face of popular protest. The fundamental reality for every business or organization is that everyoneis now in the business of data — and its protection.