Breaching the Secret to Cybersecurity Communications

April 24, 2017

With the business landscape changing on a regular basis, keeping your organization, your customers, investors and other key stakeholders informed has become an essential part of maintaining effective business operations. It’s key to make sure these groups are clear on business priorities, what’s going on in your company and the company’s perspective on major industry events.

When a tweet, a blog, or a passing comment to a reporter can shift the business dynamic in mere minutes, quick and thoughtful communication is more important now than ever. Cybersecurity is one such area in which this is especially true.  A casual reference to a breach immediately raises red flags and becomes a topic that reporters see as “news” to uncover in depth. This is because a breach can have profound effects on a company’s entire ecosystem of management, employees, customers, suppliers, shareholders and brand.

I can speak firsthand about how cyberattacks can cause damage to the customer relationship, in addition to a company’s business revenue and brand reputation. My own personal identity was hacked not long ago when someone used my information to get a loan in my name. I was able to look at the hacker’s loan submission and decipher that he or she likely got my information from a large company with which I had recently done personal business. I can tell you that I will never do business with that company again.

A communication strategy didn’t appear to be in place. While I took all the recommended actions to put alerts on credit reports, file police reports, etc., I never received any communication from the company. I’ll never know if the user is gone for good or just hiding in the weeds. When I step back from it all, the company that gave up my information probably doesn’t even know that they were hacked. And they certainly didn’t intentionally do anything wrong. In fact, they were a victim of the attack. But that’s not the way the media would see it. 

When a breach is revealed, the attacked company is portrayed not as a victim, but as negligent and, in a subtle way, complicit in the event that ultimately exposed partners and customers. In short, it’s clearer than ever that cyberattacks can have an existential impact on companies. If customers don’t trust a company, then they simply won’t do business with them. These types of brand implications are indelible and a communication strategy is invaluable.

Recovering from a breach

After a company has been attacked, recovering from the security breach is far more difficult and unpredictable than it would have been to take preventive measures up front. What’s more, studies show that the average financial cost of a data breach has grown over the past year from $3.8 million to $4 million. For many businesses, cybersecurity protections may like an optional investment, needed only in heightened circumstances.
Instead, companies should view protection in the same category as liability insurance and preventive building maintenance. Information may be leaked, acted upon, and tracks covered before the hacked company even knows of the intrusion. And unlike a theft of physical material, you may not know the breach has occurred for weeks, months, or even years. So vigilance is critical to see anomalies when they are happening.

Communication is essential to helping prevent customer loss, investor doubt and negative public perception. When I read about a company that has suffered a significant cyberattack, I study their attempts to disclose the bare-minimum facts, while mitigating fears of customers, and limiting the perception of the breadth and depth of the attack. It’s pretty easy to tell a company that had a communications game plan vs. one that didn’t. Any company can be attacked, so be prepared.

With the volume and types of cyberattacks growing, businesses need to make sure they have a response strategy in place. AT&T’s own research shows that it blocks 75 percent of email traffic transmitted across its network because of suspicious content, and 90 percent of U.S. organizations report that they had malware worm or virus attacks in 2016. Fifty-eight percent of those organizations acknowledged that they experience occasional or frequent malware threats. These numbers indicate a need for businesses to better manage cybersecurity concerns proactively and reactively, and handle communications successfully if a cybersecurity incident occurs.

Protecting your business

The best approach to protecting your business is your up-front work. It requires a multilayered cybersecurity plan. It’s impossible to protect a business by counting on each employee to be vigilant and take appropriate action. This is like assembling a group of masons, carpenters, electricians, flooring specialists, roofers, etc., and telling them to build a house without any plans. There needs to be leadership and planning to see to it that a company is protected from cybersecurity attacks and able to respond to malicious activity in real-time, which means the threat needs to be understood and acted upon starting at the top of every company.

If your company has a well-conceived and executable plan, identifying the source, the scale, the scope, and the implications of the breach may be straightforward. Then your communications can disclose information in a timely manner, with confidence and details, and outline all the preventive measures taken to mitigate the concerns. This will significantly reduce perceptions of negligence or management generally being cocky or asleep at the switch.

From my experience, effective security communications require three key pillars:

1. Have the right stakeholders ready. The worst thing you can do for your brand once news of a breach hits is to have to scramble to find out who to work with to understand the issue, who is communicating to what audience, and who needs to be looped in.

Every business should create an incident response team that includes the appropriate security and IT professionals to quickly identify and explain any security issue, communications representatives to instantly start crafting messaging on the issue, business leaders to help escalate to leadership, and any other legal or external advisors who should weigh in from your organization. Having this team ready means that you are prepared to respond when a problem arises.

2. Get a clear understanding of the issue and its impact. When communicating to your customers, investors, and executives, make sure you have clear, direct messaging with the latest intelligence on the security issue. When messaging is vague or insinuates a lack of full understanding on what happened, it can contradict your goals and create more uncertainty or fear around the security incident.

Take the time to work with security professionals to figure out what kind of security issue occurred, how it happened, and what could result from that action. That way, you can inspire confidence externally that your organization has the capabilities to handle and mitigate the issue.

3. Stand ready to resolve the issue. Communications should not only reflect the problem, but also the solution. Even if the solution is not immediately clear, it’s important to make sure that those affected know that you are actively working to fix the issue and keep their privacy a priority. Every employee, customer or business leader wants the assurance that you are keeping their interests in mind and that the issue will be addressed.

In order to make sure this is possible, you should take your incident response team, and practice resolving security incidents before one actually occurs. Having a plan in place that has been tested will see to it that you are ready to take action.

If needed, enlist help. There are teams of third-party consultants available that provide incident response efforts full time. Enlisting one of these teams to stand ready can help make sure your team is properly equipped to resolve a security attack and communicate that resolution effectively.

While these seem pretty straightforward, when the fire alarm goes off, being clear-minded and purposeful can be more challenging than expected. When the calls, emails, and tweets start coming in, and the pressure builds, keeping calm and taking the time to get communications right are critical.

Advanced planning in these three areas will help you take action more quickly and train people on how to respond to inquiries. Yet, beyond doing proper planning, including identifying who should be involved and what information must be gathered, you also need to figure out how to communicate the issue.

When a problem arises, your teams, customers and trusted stakeholders need reassurance. They want you to be proactive and keep them informed. When dealing with a major security issue, figuring out what to say can be tricky, given the wrong word could create panic or concern.

When you’re writing messaging on a cybersecurity issue, consider the following tactics:

  • Avoid jargon. Cybersecurity is a complex field. When you’re dealing with issues like “port-blocking,” “malicious actors,” “trojans,” and “backdoors,” it’s easy to get swept up in the lingo when trying to explain cybersecurity concerns. But if your stakeholders and customers do not share the same level of knowledge, these terms can be overwhelming and inspire more concern. Keep your language simple and clear so that any reader can understand.
  • Be transparent. Skirting around the issue does not get you anywhere. Acknowledge what happened up front to avoid frustrating your employees, customers and investors as they try to figure out what “we may have experienced an issue” means. They want and need to know what happened to make sure they take any appropriate action to protect their own assets and operations.
  • Keep your brand values at the core. When you communicate on security, remind people of what you stand for: You keep your customer values at the forefront, you will always act quickly, you’ll continue to keep the experience effortless and easy. Whatever your mission statement is, your customers and other third parties work with you because they believe in your products, services, people and brand. It’s therefore important to remind them why they believed in you in the first place when you are communicating news that might raise some doubts.

When implementing your communications plan, keep in mind that many people within your company may be asked about the breach. As such, it’s important to provide messaging and approach to internal stakeholders, such as sales people, customer care, service people, general managers and executives. A few talking points will go a long way when coupled with guidance to not be defensive, doubtful or evasive when asked about the event. 

These principles will help guide your communication and make sure you best position your organization for success. Communications on serious issues like security can have an exceptional impact on your business. In an environment where making business decisions real-time has become the norm, we can’t let communications get lost in the mix. Treating your external messaging with the same care, attention and urgency as you do any other major business decision will help your organization handle cybersecurity issues effectively.

Steve McGaw
Steve McGaw is CMO of AT&T Business Solutions. He is responsible for AT&T’s business marketing organization. Prior to his current role, he served as senior vice president of corporate strategy. During his 29-year career, he has also held key leadership positions in corporate development, business marketing, sales, international and technology planning roles at SBC and AT&T Bell Labs.


No comments have been submitted yet.

Post a Comment

Editor’s Note: Please limit your comments to the specific post. We reserve the right to omit any response that is not related to the article or that may be considered objectionable.


To help us ensure that you are a real human, please type the total number of circles that appear in the following images in the box below.

(image of four circles) + (image of six circles) =