Marketing executives: get prepared for digital security breaches
Here’s a question: is your firm (and the marketing organization in particular) prepared for the hours, days, and weeks following a major breach in your organization’s security perimeter from an external or internal attack? If the answer is no, or maybe, you are in good company. Like ostriches with their heads in the sand, the large majority of marketing execs don’t have an operational plan for communicating with customers following the damage wrought by a major security breach. Yet, it really could and really does happen.
Take Equifax, for example–but don’t follow their lead. The firm’s breach was discovered on July 29, but it wasn’t reported publicly until six weeks later. This long delay occurred despite the number of people put at risk from the leak and the severity of the impact to consumers. Making everything so much worse, three of the company’s top executives sold Equifax shares a few days after the breach was discovered. These executives, including the chief financial officer, the president of U.S. information security, and the president of workforce solutions, surely knew better but did it anyway. Bloomberg estimates the total value of shares they sold to be $1.8 million. When the news finally did come out, the company’s reputation was sullied almost beyond repair. Finally, the CEO was forced to resign (albeit, with an $18 million pension benefit.) What a difference it would have made to the outcome if the company had come clean from the outset and the executives had behaved contritely and correctly. Although the breach had occurred weeks before the disclosure, how they mishandled and delayed the external communications made it many times worse.
How can more companies stop repeating this and other bone-headed examples? It’s time for businesses to take a page from the Department of Defense and the uniformed services’ handbook. We’ve all seen movies in which the military conducts exercises to ensure they are prepared for action. These exercises happen in real life, and can be conducted on a large-scale basis (e.g. NATO), within a command or even on a single base. The military’s objective is to map out and war game an incident of some sort (e.g. a virus breaks out, a collision occurs, an invasion starts or a serious conflict flares up) and practice how they would handle it. The purpose of these exercises is to ensure readiness and preparedness, as well as to learn from mistakes, identify why they occurred, and improve upon it.
Just think for a moment what would happen in your organization if a breach were to occur. Keeping in mind how the military runs its exercises, can you easily answer the following questions? If the answer is yes, could you quickly re-enact and operationalize the plan and steps needed to protect the firm and ensure the customer’s trust? For example:
- What and how will you communicate to customers immediately following a breach?
- What will you say to the press?
- How will you communicate with employees? What will you tell them to do?
- What interactions will you have with customers in the days and weeks following the initial event?
- How will you operationalize the 1:1 customer communications typically required and usually promised?
- What should you say to the press initially and on an on-going basis?
- How should the customer contact center respond? What script should the customer service reps follow?
- Will additional staff be needed in the customer contact center to answer a greater volume of calls? Where will those additional staff come from?
- What changes should be made to your website? What would it look like?
- How will you use Facebook and other social tools to communicate with customers?
- What is the follow-up communications plan for the weeks and months following the initial event?
- What information should be communicated to business partners and influencers?
- Who will be the spokesperson(s)?
- Who will communicate with government and industry regulatory groups? What will they say?
If your business were to magically get transplanted into the Air Force, Navy, Army or Marines, your team would be required to know the answers to these types of questions and understand how to swing into action. This type of readiness is how we should be thinking and acting within our industry sectors and businesses.
Fortunately, many firms in the high target industries that attract espionage or crime (such as telecommunications, aviation, power utilities and banks) already do “war gaming” exercises that are focused on handling massive security breaches. But these exercises are usually done at the deeply technical level and involve scenarios like shutting down certain servers, moving the processing of mission critical applications from one facility to another, and so forth. These exercises aren’t at the business level; they stay at the technical level. But the entire organization should stop to ask itself–how will we respond to our employees, customers, the press, influencers, regulatory bodies and other entities if suddenly millions of customer records are stolen for nefarious purposes?
This may seem like a highly remote possibility to many CEOs and CMOs. But if hackers can make off with the confidential personal and financial records of 143 million consumers in Equifax’s systems, and if the US election was influenced or swayed by Russian cybercriminals, then it could happen to you too. Be prepared. Be very, very prepared.