As a CEO, one of the worst things that can happen is seeing a data breach. Depending on the type of the breach, it can be a sign of problems that run deeper than expected. This is always worth investigating after the breach has been dealt with. But the breaches themselves must be contained first, and all eyes will closely follow the management’s steps.
It’s Never Positive
Understand that there is simply no way to fully mitigate the financial and reputational damage that will occur. It’s futile, and attempts to do so will backfire. Trying to put too much of a positive spin on your company is not advisable.
The first thing one should not to – whether the company is small or large – is to downplay or downright hide the existence of a breach. It will eventually get discovered anyway if it’s serious. Accept the blame for the breach and leave it at that.
A hands-on approach is essential. All stakeholders want to see the top management engaged hands-on in handling the breach. Spokespersons or engineers should not make public announcements instead of a CEO. It is perceived as cold and uncaring, as if the management isn’t too concerned about the current events. Users whose data was breached could feel like they aren’t important at all.
Don’t get caught like a deer in headlights. Understand what’s going on – even if it means brushing up on your tech knowledge. Be honest about what happened. This creates trust and confidence that you’re handling matters properly and responsibly.
Know what the unknowns are. If you’re not aware of certain aspects, don’t be afraid to say it. Don’t know the extent of the breach? Spill the beans – but make sure you have a team that’s going to find out.
Sometimes, hiring third-party IT investigators can be helpful. They can also show if your IT team has been doing a bad job lately, which could have resulted in a breach.
Honesty is the best policy when it comes to breaches. Dishonest and manipulative companies get chewed out fast. Just look at the recent Equifax breach – everyone is condemning the admittedly horrible handling of the breach by the management. You certainly don’t want to be in the next headlines.
Speaking of Equifax, reportedly they waited before disclosing a breach to the public. This undermined the confidence of the public in the company. However, the board doesn’t seem to mind. Insider trading allegations say they waited to disclose the breach until they had managed to sell their shares.
Reaching out to everyone is a terrific way of ensuring you won’t get attacked for hiding anything. It shows you can own up to your mistakes.
There are better ways to handle a breach. Deloitte has recently experienced a breach, but few have heard about it. Why? They’ve been forthcoming about it, and have notified the regulators and the public immediately.
The supervisory authorities (regulators) are not there only to dish out punishments. They can be very helpful when it comes to providing advice and helping you get back on track. Keeping them informed is also a legal requirement. You really don’t want to take too long to report your breaches, unless you want to pay a huge fine.
The affected individuals won’t care much about explanations about what happened and why. They care about what you are doing to protect them. Do have something to give them. Don’t make false promises, though. Enact reasonable measures that show you honestly care about what has happened.
Your public image matters a lot when dealing with breaches. Internally, you should follow your incident response plan and try to determine the extent of a breach.
Externally, communicate about what is happening. Keep everyone up to date, and provide correct information. Be as transparent as possible, and accept your responsibilities in the breach. That’s the best way of winning back your users’ and customers’ confidence.