It’s almost certain that at some point every firm will come under cyber attack, leading to the potential theft of customer data. Yet despite this, risk management firm Stroz Friedberg found that less than half of senior executives believe they’re personally responsible for their firms’ defences against hackers.
Writing for Harvard Business Review, Bill Bourdon says, like it or not, data security is your responsibility, and when you’re under attack, honesty is the only way to reassure customers and protect the firm’s reputation.
PROCRASTINATION PUTS CUSTOMERS AT RISK
It was bad enough that Equifax took nearly six weeks to come clean about being hacked. Target said nothing until their breach was reported by security blogger Brian Kerbs, and the SEC took even longer to come clean, saying nothing about their breach for a full year.
The longer you wait before telling customers their data is compromised, the more chance there is that hackers will have sold the information on the dark web before people can do anything to protect themselves.
When Yahoo was hacked last year, CEO Marissa Mayer should have reset all passwords. She didn’t because she was worried having to renew their login credentials would annoy customers. But how could people protect their data if they weren’t aware of the hack? It’s not humility and transparency which destroys your reputation; it’s the lack of it.
LACK OF CLARITY IS NEGLIGENCE
A data breach is an organisational failure, and as the firm’s leader, it’s up to you to lead the way in providing clear and timely updates on the situation. Even if you you don’t know all the details, it’s better to admit that much than to obfuscate.
Although Sony shut down its Playstation Network as soon as it realised it had been breached, the company didn’t admit it for two days, and it was only over the following weeks that information about the incident slowly leaked. If you don’t tell customers what’s happening, they’ll believe you’re covering something up – even if you’re not.
While US law concerning the disclosure of data breaches is patchy at best, the EU is about to enact legislation which requires firms to react within 72 hours of an attack. That’s what your incident response plan should aim for, because failing to notify customers not only puts them at greater risk of crime, it’s also plain bad service, and worse, it’s negligent.
A MEASURED RESPONSE IS KEY
In response to its breach, Equifax eventually offered affected customers free credit reporting for life, and stopped charging for freezing credit reports as an extra layer of protection – but not before they’d initially tried to profit from the security failure.
Just as Yahoo’s first priority should have been to protect customers, Equifax should have “offered free, condition-free monitoring to help customers stay safe”. Their failure to do so severely damaged the firm’s reputation. Your response to a security breach must be commensurate with the seriousness of the problem, even if the measures you enact cost a lot of money, because losing your customers’ goodwill will cost you more.
You’re the boss; cyber security is your problem. When your firm comes under attack, don’t shirk your responsibility – own it.