Data GAU Data theft - this is how (crisis) communication succeeds

When the IT security disaster has occurred and cyber criminals have been able to steal large amounts of corporate data, forensic issues such as uncovering the entry points and how the hackers proceeded in the network are naturally a strong focus. When it comes to responding to data theft, however, one important point must not be forgotten: What do I tell the public and how do I communicate it? A cyber attack is always an unwelcome surprise. But with proper preparation and a well-thought-out response, the relationship of trust with customers and the public can be maintained in many cases. As part of its Cybersecurity Summit, Sophos spoke with associate professor and cybersecurity specialist Jason R.C. Nurse* about communications strategy in the event of a data theft. His recommendations are summarized in the following sections.

Have a communication strategy in the drawer for emergencies

The amount of work before a data theft is critical, but many organizations overlook this preparation phase - at least when it comes to communications strategy. To effectively respond to a data breach, the company must determine in advance who will be the spokesperson, how best to reach customers, and what general communications regulations will apply.

The list of those speaking in public should be as small as possible - ideally a maximum of two people "with significance", because journalists want an expert or an executive. This helps to ensure that the message remains consistent and confusion is eliminated. It is helpful to anticipate possible questions from the press, shareholders or customers and have compact answers ready. This master plan should be prepared for various security incidents and kept up-to-date with regular reviews. In addition, these regular test runs ensure that every employee knows his or her responsibilities and with whom he or she may speak about what.

Data theft: disclose or keep secret?

Honesty remains the best strategy in the case of corporate incidents, unless a legal regulation dictates otherwise. If the company decides to maintain secrecy, there is always the risk that the incident will come to light later and the damage to its image will be all the greater. In addition, those responsible must not underestimate the fact that the stolen data can end up on criminal online markets and thus also become public.

Assume responsibility

When a cyberattack has taken place, the temptation quickly arises among those affected to portray themselves as victims. And while this is certainly true in a technical sense, the public often views such behavior negatively. Anyone who as an organization or company is entrusted with or works with personal or other important data has a responsibility to protect this data. Therefore, companies should understand the dimension of data theft from the customer's point of view, take responsibility, and communicate quickly, clearly and factually how to respond to the data theft.

Quick guide for crisis communication - not only in the event of a data theft

• Reply quickly. Often there is only one opportunity for the first impression and it should be trustworthy. Good preparation facilitates an immediate response that is measured and accurate.
• Deliver a clear message. No jargon when addressing customers, shareholders or the general public. Direct and emphatic communication is far more effective.
• Use a single source. Communication via different news areas or corporate social media channels can quickly dilute what should be a clear message. A single and up-to-date statement directly from the company's management via a corporate channel helps to get the message across clearly.
• Take responsibility. Shareholders, customers and the media honor companies that stand by their mistakes.
• Keep all affected parties informed. Set up an action plan to keep shareholders and customers competently informed even after the first "going public". In this way, the good relationships that have often been built up over many years will remain intact.

*Jason R.C. Nurse is Associate Professor of Cybersecurity at the University of Kent and Visiting Scholar at the University of Oxford. His research focuses on the socio-technical aspects of cybersecurity, privacy, and trust. He has incorporated his years of research into an evidence-based frame of reference that elaborates the best way to deal with potential relational-level harm associated with a cyberattack. The conversation with Jason R.C. Nurse can be found in the video at the following link: https://nakedsecurity.sophos.com/2021/02/03/what-should-you-say-if-you-have-a-data-breach-catch-up-with-jason-nurse-at-sophos-evolve/