Find out more about our work, clients and projects below.
confidential-information.jpg

How to respond to a data security crisis?


Carlos Maya
Share it

Science fiction became a reality: we live in an era where hacking, information leakage, cyberterrorism, trojan viruses, cyber extortion, identity theft, etc. are common news and happen on a daily basis.

You can hear about data leaks of big companies around the world, that destabilize stock markets, alter investors and even put governments in check. This is our reality.

Due to all of the above, it is important for companies to consider a crisis response plan in case of a computer incident. Down below we will discuss how to handle a situation like this.

What do companies do wrong when they face a hacking crisis?

The main mistake companies make is trying to hide, which is usually the first thing they do. They normally take too long to face and recognize the wrong and its consequences.

It is imperative to be transparent on the matter because the image of the company could be compromised not only among customers and the general public but also among shareholders.

 

What can you do to turn a data leak crisis into an opportunity?

It is believed that crisis is a synonym of opportunity and that, when solving it, everything will improve immediately, but this is not necessarily the case (read about TAESA below). Remember that nothing speaks better about a company than the way it behaves during a crisis, so it is important to take the right steps to really turn a crisis into an opportunity:

  1. To face it: recognize the situation.
  2. To give a calming message for any affected party, where the solution, the compensation that will be given to those affected (if necessary), and the prevention plan for those attacks and/or mistakes are indicated.
  3. To control the journalists: in that message, all possible questions that press might make in order to be the company who sets the agenda, and not the media, should be answer.
  4. As you plan your message, remember the famous "C": consistency, clarity and consistency.

 

What to avoid in case of a data leak crisis?

  1. To lie or hide relevant information.
  2. Be illogical with the company values.
  3. Do not have a representant: remember that the crisis spokesperson does not necessarily have to be the CEO or the communication director. A empathetic spokesperson should be chosen.

 

The public relations and communication agency role

When a public relations crisis is presented, the agency role is key to solve it, this is why a series of immediate activities will be carried out:

  1. The most important thing is to understand that the past can not be erased. We must recognize the crisis.
  2. Actions to reduce the impact.
  3. "Start the healing process": delimit responsibilities, penalise the guilty, promise that nothing similar will happen again, communicate the actions that will help from happening again.

 After the crisis

In all the time I have been working in crisis management, I have noticed that most companies focus too much on getting out of it, but they are not focusing in preventing of happening again.

Remember the TAESA case? This was a low-cost Mexican airline that filed for bankruptcy after an accident in 1999, in which 18 people died. This fact provoked a public relations crisis that was aggravated due to previous security problems since the company wasn't very clear with its communication, but the most important thing is that it was not prepared to support the subsequent thorough examination of its airplanes and protocols, which were deficient. In addition, after the accident an important loan was denied for the airline, which will help it to extend its operations.

 

How to prevent a hacking crisis?

I am convinced that crises can be prevented, so we must consider a crisis plan. To create it, two specific preventive tools are considered:

  1. Risk matrix, in which, in a 100% transparent exercise, the risks that your company runs are analyzed. One of them should be the data vulnerability. If you know what are your risks, especially for crises that can not be prevented, the damage may decrease.
  2. Signal analysis. Obviously, in retrospect this is very simple, but we must admit that we are in the WannaCry and Panama Papers era. We must pay attention to the crises that other companies have suffered or to the particular context in which we operate.

 

What happens in Mexico?

Globally, less than half of companies have a concrete and written plan to deal with a crisis (49%). In fact, there are still fewer people (32%) who say they do drills or trainings (source: "A crisis of confidence" study, Forbes Insights, on behalf of Deloitte Touche Tohmatsu Limited, 2016).

If this is the case globally, in Mexico this number of companies prepared for a crisis is still much smaller. The ideal is to equalize specifically allocated to this area, not only to "put out the fire", but to prevent it, to elaborate the risk matrix and, based on it, a crisis management plan.

Likewise, we must consider that this type of services must be solved immediately, especially in a context where every minute counts, so it requires experienced professionals to execute the actions correctly.

New Call-to-action