The conflict in Ukraine has highlighted that not only are
battles being fought on the ground and in the air but also in cyberspace.
Attacking and disrupting data are now seen as legitimate strategies to weaken
an adversary and cybercrime is now more prevalent than ever. Given our reliance
on data and the increasing sophistication of these attacks the likelihood of becoming
a casualty of the cyber war, either personally or at work, is greater than ever
before.
We are increasingly reliant on our computers and IT systems
to run our organisations and our personal lives. It is hard to imagine how we
might manage without them but we are obliged to place our trust in others to
keep our data safe. Our dependence on IT
and connectivity makes us vulnerable, the loss of a system or the data it
contains will bring business to a standstill very quickly.
As well as the many technical challenges presented by cyber
crime there are also significant challenges around how and what to communicate
should your organisation experience a data breach.
The loss of data might be caused by a deliberate attack upon
your system, or it might be caused by human error such as the loss of a laptop
or storage media. Whilst loss of data must always be regarded as a serious
incident, often in the initial stages, the loss of data may not be in the
public domain. This presents a challenge in itself; if people are unaware of
the incident, do we need to tell them, and if we do when and what do we share?
From a regulatory perspective the loss of confidential data
held by an organisation is a serious incident and must be reported to the Information Commissioner’s Office (ICO) within
24 hours of becoming aware of the essential facts of the breach. Beyond this
the ICO expects that if the breach is likely to adversely affect the personal
data or privacy of your subscribers or users, you need to notify them of
the breach without unnecessary delay.
However tempting it might be to hold off going public, the
ICO requires you to inform those affected. Given that the numbers involved are
likely to be significant and the nature of the compromised data it is likely
that once you have shared that data has been compromised it is highly likely
that information will find its way onto both social and mainstream media.
Whilst it may be very tempting to say nothing, at least
until the point someone becomes aware of the incident, in reputation management
telling bad news first is regarded as a positive step. It puts you on the front
foot rather than being seen as reactive or trying to conceal something. It
tends to draw media to you and that allows you to tell your story first, in your
words and gives you some control over the news agenda.
There are two distinct challenges with dealing with a data
breach. The first is at the heart of reputation management in that in losing
personal data your organisation has broken its promise of trust. You
promised to keep my data safe, and you didn’t. Why should I trust you now?
Rebuilding that trust is crucial, so within your communication you must show
that you care and you understand the concerns of those affected. An apology,
even if the data breach is as a result of criminal activity, is entirely
appropriate.
The second distinct challenge is that it is hard to provide
visible evidence of what you are doing to address the situation. In many
incidents it is relatively easy to show the actions that have and are being
taken to rectify a situation. With data breaches it isn’t. Within your
communications you will have to work hard to show what is being done and what
doing those things mean. As part of your preparation for dealing with a data
breach it would be wise to list those actions that you would take should it
happen.
Be positive and be open. Be ready with your communications
and work hard to rebuild trust.