The ABCs of post-data breach communication for small businesses

The key factors in post-breach communication

To rescue your brand image, remember the critical factors of post-breach communication: transparency, timeliness, and empathy for your customer.

• Don’t attempt to hide an incident: If your customers discover a breach for themselves, the ramifications and damage to your reputation will be severe.
• Don’t dawdle: You should notify affected parties immediately after discovering a breach. Detail the breach’s nature and extent. Provide information on what you are doing to mitigate the risks.
• Respect your customers’ rights: Take charge of the crisis by maintaining a clear, reassuring tone. Demonstrate responsibility to mitigate panic.

Prepare for post-breach communication with a detailed plan

You won’t have time to mull over your options when cybercrime strikes. Plan your data breach communication strategy meticulously before the worst happens. When word gets out, every customer will want to know if their data has been stolen, what type of data is involved, and what actions they can take to stay safe. Your incident response plan must cover each when, how, and what.

When to communicate

Don’t act in fright before you have enough facts. It will create unnecessary panic and muddy the waters for your customers and staff. But don’t wait too long because you may be accused of stalling or attempting a cover-up. That can do more reputational damage than the breach itself.

Your company must provide accurate, timely information to address customer questions while protecting your best interests. To minimize future liability, it is wise to include your legal team or practitioner in the loop. If you can’t share specific details (e.g., if law enforcement is involved), be transparent about the reason for not sharing sensitive information.

How to communicate

A well-prepared organization has a communication strategy in place before a breach occurs, allowing for a swift and effective response when every moment counts. This strategy should outline roles, responsibilities, and protocols to ensure that all stakeholders, from customers to employees to the media receive timely, accurate, and consistent information. Consider the following points to create a comprehensive communication plan:

• Stipulate who will be responsible for communications. Appoint a spokesperson.
• Who is responsible for briefing your spokesperson and communication team?
• Who must sign off on your comms, content, and materials?
• What communication tools and channels should be used?
• Create a single authoritative source, such as a web page on your website, for all updates about the breach.
• Who will manage each channel, e.g., social media platforms, media inquiries, or your call center?
• Who will prepare press releases, send texts or emails, or use social media platforms?
• Stipulate your target audiences, keeping in mind that your staff must stay updated about the company’s position.

What to communicate

Don’t use canned responses. An impersonal “Your security is of the utmost importance to us” won’t cut it when customers feel they have no control over events. They need as much information as possible to understand how this breach could impact them.

• What happened, and when?
• What is the scope of the incident and its impact on operations?
• What is the impact on customers?
• What actions should people take? Identify who is responsible for taking which actions and when.
• What resources or support are available to customers and staff?
• Provide clear directions to access more information, resources, or assistance.
• When can they expect to receive the next update? Keep that commitment. Deliver the promised follow-up communications on schedule, even if to advise you’re still investigating.

Leverage your communication plan to regain trust

Recovering confidence and trust after a cyber incident is brutal. In addition to recovering on a purely technical and operational basis, you’ll also have to rebuild your brand.  

Lean back into your recovery communication strategy to support your marketing and sales strategy. You can even benefit from raising your communication profile by sending stakeholders post-incident information about your actions to make your company more resilient and efficient.

The best practices every customer wants to see

Keep customers informed about the measures you’re taking to prevent future incidents. This will tell them that you’re serious about cybersecurity while simultaneously serving as an effective way to market your brand. Here are some key cybersecurity practices that customers want to see in the companies they do business with:

• Hire experts: Let your customers know you’ve hired experts to improve your cybersecurity position.
• Provide cybersecurity training for staff: You can extend the benefits to your customers by, for example, dedicating a web page to help customers learn how to improve their cybersecurity.
• Require all staff to use 2FA/MFA: This will improve internal security in an age when automated password crackers can break a simple password in seconds. By communicating such news, you’ll help create awareness among your customers.
• Implement VPNs for all work-related devices to secure communications: Unencrypted data transmissions are easily intercepted. Most people use mobile devices to receive and send emails and messages, but the messages are not immune to tampering unless encrypted. That’s why a mobile VPN should be used for additional protection and encryption. Customers expect companies to encrypt their data and communication, especially if your employees work remotely on portable devices.
• Encourage customers to raise any data privacy, work practice, or cybersecurity concerns: Their contributions can help your company build a better cybersecurity culture for all.

Conclusion

Be wise and always run your communications by your legal team to ensure your position remains legally sound, but giving a heartfelt apology is still a decent thing to do. It’s better to admit to your failings and then go the extra mile to rectify the adverse situation for all your stakeholders.