The latest name to be sprawled across the headlines in relation to a cyber hack is one of Britain’s largest tech companies, Sage. Albeit smaller in scale than the TalkTalk debacle last October, Sage’s difficulties place it onto a growing pile of high-profile security breach stories that have gripped industry-watchers and been painfully dissected by news outlets.
Handling the media end of a cyber security breach is a PR’s worst nightmare, but handle it they must. With the when rather than if inevitability of attacks today, dealing with the aftermath of these breaches is at least as important to shareholder and customer confidence as protecting against it in the first place.
And as with all crisis communications, preparation is key.
Let’s take a close look at the timeline of the breach, and – in particular – what was communicated externally to the company’s various stakeholders: shareholders, employees, customers and the media.
‘A few weeks’ prior to 11th August: Reports have since cited company spokespeople suggesting the attack happened ‘in the last few weeks’, meaning Sage had a fair head start on getting its sh*t together before going public.
11th August 2016: Sage starts to personally ring all 280 affected business customers, relaying the following somewhat vague statement:
“At this stage, we are unable to confirm if data relating to your company has been affected, however, we felt it necessary to make you aware at this early stage.”
13th August 2016: News of the breach starts to be picked up by smaller infosecurity blogs. Sage also informs City of London police around this time.
By this point Sage releases a statement on its homepage:
“We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation.
Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security.
If you have any concerns at all, you can reach us on the following contact details:
The dedicated helpline number is 0845 145 3345 – please leave a message with your details and we will get back to you as soon as we can. You can also get in touch with us by emailing us at firstname.lastname@example.org.”
15th August 2016: The FTSE 100 opens with Sage’s share price dropping by 3.9 per cent in the first hour of trading. Some commentators begin to draw parallels with TalkTalk – another prominent UK tech company – who many perceived to have mishandled communications around their own data breach.
Sage clearly had a communications plan that seems to have been comprised of three tiers: tell our affected customers first, get in touch with the authorities, then let the wider media and public know. But when those affected are made up of almost 300 companies, it’s going to be very difficult to stop the media and wider public from sniffing out the story.
Rather than coming across as one smooth and coherent communication, in the end the announcement seemed unplanned, unprepared and off-the-cuff, with a distinct lack of concrete information or openness.
Whether that is true or not hardly matters. Perception is reality, and the net effect has left Sage appearing more than a little disjointed and incoherent at precisely the time you would expect them to be clear and unequivocal.
Even now the official company response suggests they don’t know whether the data was merely viewed… or used. If that was your data, wouldn’t you want to know?
The most significant mitigating factor in the defence of all companies affected by cyber breaches is that many simply cannot know the precise scope, impact and consequences until they’ve had days or even weeks to forensically piece it all together. In a 24-hour news cycle, such uncertainty does not play well. We could recommend a few excellent cybersecurity solutions to help, but that’s a different blog entirely… 😉
Ultimately, a well thought through and effective communications strategy would have seen clear evidence that:
- All staff were briefed first so that everyone was equipped to communicate a consistent message.
- A full and forensic analysis of the breach had taken place, identifying proper information about the attack so that the firm could share this information with the public in a timely fashion.
- The internal communications team were fully prepared for media and customer queries.
- Affected customers were notified appropriately as soon as possible, as per the directives in the Data Protection Act and other legislation. While the phone call was a nice personal touch, to ensure the message got through to customers it should have been backed up with texts and emails, as phone calls don’t suit everyone.
Admitting your company has been breached is a tough break to catch, but with such instances of targeted cyber attacks increasing sharply, big corporates – especially the tech ones – need to grasp the nettle and abandon this mindset quickly.
After all, it’s not just the severity of the attack itself that determines the cost to your business. The way you manage and communicate the attack can make a huge impact on your brand, and your customer loyalty – as TalkTalk knows only too well. Both internal and external communications are the crux of any breach response plan.