数据泄露代价高昂。直接成本,如补救、通知、诉讼、罚款和潜在的勒索软件付款,相对容易衡量。声誉受损的间接成本可能更难捕捉,但它可以对企业产生长期影响。
信任对公司的品牌形象至关重要。违规行为可能会玷污消费者、商业伙伴和公开市场眼中的形象。根据组织对违规行为的反应,品牌损害可能导致业务损失。在数据泄露之后,领导层如何了解对组织的声誉造成了多大的损害,以及如何修复它?
1、了解对声誉损害
违规的性质会影响组织可能遭受的声誉损害程度。“影响通常会随着可能受到损害的数据类型的敏感性而增加,”咨询公司BPM的合伙人Fred Rica告诉InformationWeek。例如,涉及电子邮件地址的违规行为可能比涉及财务信息的违规行为危害小。
企业所在行业、受影响的其他各方数量和监管审查等因素也会对潜在的声誉造成损害。销售服务以保护其他组织的网络安全公司可能会在成为违规行为的牺牲品时遭受声誉打击。向外蔓延并影响数百万消费者和多个供应链合作伙伴的违规行为将比涉及少量内部数据的违规行为更大。引起监管机构注意的违规行为,尤其是导致监管罚款的违规行为,将对品牌产生不良影响。
违规的时间表对您的品牌也很重要。违规行为未被发现多长时间?发现后修复的速度有多快?您的业务运营是否中断?客户是否无法访问您的服务或获取您的产品?
“你可以量化销售损失;您可以量化损失的市值;你可以量化股价的下降,但我不知道这是否一定能帮助你量化品牌损害,“Rica说。
给信任一个确切的数字是很困难的。一些定期进行品牌研究的组织可能能够深入了解违规行为如何影响利益相关者的情绪,并进而了解他们对品牌的看法。
“许多以消费者为中心的组织可能有很多品牌研究,他们已经对员工进行了定期调查,定期调查他们的品牌健康状况,”全球通信公司爱德曼危机和声誉风险执行副总裁兼美国数据安全和隐私负责人Katie Clark解释说。“这些可以成为很好的指标,可以通过事件或事件后来使用或衡量,看看是否有任何形式的变化。
即使企业不能对其品牌价值给出一个硬数字,但该价值仍然需要得到维护。
2、制定计划以保护您的声誉
组织越来越意识到,网络安全事件不是是否的问题,而是何时的问题。这意味着领导层有机会为攻击和潜在的品牌损害做好准备。
“你需要有一个广泛的、集成的危机管理计划或网络事件响应计划 [IRP],不仅要处理 CISO 或 IT 部门人员的职责,还要处理整个企业中其他利益相关者的责任,”负责处理声誉风险、危机管理和弹性的董事总经理 James MacDonald 说。 税务和财务咨询服务公司BDO。
保护您的声誉的计划包括技术部分和通信部分。重要的是要记住,对每一方负责的人不能孤立地工作。所有利益相关者都需要保持一致。
“除非 IT 响应发生,否则我们无法沟通,而且我们可以沟通的内容会产生法律后果和风险,”Clark 说。这意味着首席信息安全官的团队、其他最高管理层、总法律顾问、沟通团队和任何外部合作伙伴,如公关公司、危机管理公司、外部法律顾问和网络保险公司,都需要做好协调一致的应对准备。
确保所有利益相关者都知道他们在违规后在沟通中的角色也很重要。“如果你没有像传统和社交媒体这样的员工指导方针,说明谁是和谁没有被授权代表公司担任发言人,你真的让自己度过了更艰难的一天,”麦克唐纳说。
公司可以针对违规行为的技术和通信响应计划进行桌面练习。在沟通方面,为每个潜在的受影响受众(消费者、员工、业务合作伙伴和投资者)制定持有声明可以减少在发生真正违规行为时制作消息所需的时间。
3、危机管理
违规行为如何反映公司的品牌在很大程度上取决于危机的管理和沟通方式。“每个违规行为和每个响应都会产生不同的结果,具体取决于公司,取决于违规行为的性质或事件,以及其沟通方式,”国际律师事务所Withers危机管理团队的隐私和网络安全合伙人Doron Goldstein说。
一旦发生违规行为,就该将 IRP 付诸行动了。随着新的美国证券交易委员会(SEC)网络安全事件报告规则的出台,违规行为的沟通方面可能会在更紧迫的时间内进行,这进一步凸显了在危机来袭之前制定计划的重要性。
“你可能无法灵活或奢侈地提前两天通知人们以加快速度。你可能必须在两个小时或一个小时内完成,然后才能将其推广给更广泛的受众,“克拉克说。
这个时间表可能会让人感到匆忙,但这种透明度是保护品牌的一部分。
“脆弱而真实…很重要。能够说’是的,我们遇到了这个违规行为,我们正在要求联邦政府等利益相关者,或者我们要求保险公司进来帮助我们,这就是帮助你度过难关的原因,“关键事件管理平台Everbridge的首席信息安全官Jeremy Capell说。
如果没有 IRP 的组织遭受违规,当下行动会带来进一步品牌受损的重大风险。“如果你没有计划,也没有一个特别强大的复杂和庞大的团队,我认为是时候寻求外部帮助了,”Rica说。
4、常见的沟通错误
数据泄露是不断发展的事件,需要快速响应。即使对于已经准备和测试了响应计划的企业,也很容易犯错误。但沟通错误可能会加剧品牌损害。
- 说得太早了。提前突破违规故事的压力是巨大的。等待太久,看起来您正在尝试混淆。但说得太早,领导层可能会发现自己在最初的声明上倒退了。急于发表声明为相互矛盾的声明留下了空间。如果首席执行官说一件事,员工说另一件事,你最终会得到需要纠正的混乱信息。“这些事情创造了一种感觉,或者可以创造一种感觉,即公司要么一开始没有充分披露,要么不知道自己在做什么,”Goldstein说。
- 未能解释进一步的妥协。您知道威胁参与者对您的系统有多少访问权限吗?麦克唐纳与一家成为勒索软件攻击受害者的公司合作。一旦领导团队意识到发生了什么,他们就进入了计划模式。在通过公司电子邮件进行了多次对话后,他们决定付款。当他们去向威胁演员提出要约时,他们遇到了一个不愉快的惊喜。“唯一得到的是从首席财务官给首席执行官的电子邮件的屏幕截图,首席财务官概述了他们手头有多少现金,他们的保险范围是什么以及他们认为他们最愿意支付的绝对金额,”他分享道。违规响应计划的一个重要部分是具有离线通信选项。
- 忘记员工。“我认为组织经常忘记的主要受众之一是员工,”克拉克说。在急于更新客户、业务合作伙伴、投资者和监管机构的过程中,员工可能会被蒙在鼓里。但员工的看法和信任对品牌也很重要。
- 推卸责任。企业可能无法防止违规行为,特别是如果它成为复杂的威胁参与者的目标。但是,选择不承担任何责任可能显得自私自利或不诚实。“在危机沟通中经常出现的一件事是找借口或责怪别人通常不会说’我们很抱歉,我们会改进’,”戈尔茨坦说。
5、做好长期声誉管理
并非每次数据泄露都会导致长期的品牌损害。“如果一个组织以良好的方式管理响应,正确管理它,负责任,沟通良好 – 这些情况通常不会产生长期影响,”克拉克说。
违规行为是否会给您的品牌蒙上挥之不去的阴影,取决于企业如何应对眼前的危机以及如何向前发展。“你可以经历一场危机,你可以通过这个过程从另一端出来,实际上提高你的声誉或损害你的声誉,”卡佩尔说。
在某些时候,领导层需要确定何时度过了最初的危机。它何时可以恢复正常业务,并证明它可以成为未来值得信赖的数据管理者?根据MacDonnell的说法,许多组织都在努力实现这种转变。
事后分析违规行为不仅可以帮助组织了解违规行为的发生方式,还可以了解违规行为的遏制和沟通情况。里卡建议引入“…一个来自外部的人,他有一个完全独立的观点和完全新鲜的眼睛。
该过程可以帮助组织改进其违规沟通计划并加强其安全态势,从而最大限度地减少未来品牌受损的可能性。“不管你有一个多么好的公关团队,或者你的持有声明有多精心设计,如果背后没有实质内容,”麦克唐纳警告说。
英文原文:
Damage Control: Addressing Reputational Harm After a Data Breach
How can organizations measure and repair the damage done to their brands following a data breach?
Data breaches are expensive. Direct costs, like remediation, notification, lawsuits, fines and potential ransomware payments, are relatively easy to measure. The indirect cost of reputational damage can be harder to capture, but it can have a long-lasting impact on a business.
Trust is essential to a company’s brand image. A breach can tarnish that image in the eyes of consumers, business partners and the public markets. Depending on how an organization responds to a breach, that brand damage can lead to lost business. Following a data breach, how can leadership understand how much damage has been done to an organization’s reputation, and how can they repair it?
Understanding Reputational Damage
The nature of a breach influences how much reputational damage an organization can suffer. “Impact generally increases with the sensitivity of the type of data that may have been compromised,” Fred Rica, a partner at advisory firm BPM, tells InformationWeek. A breach involving, say, email addresses is likely to be less harmful than a breach involving financial information.
Factors like an enterprise’s industry, the number of other parties impacted and regulatory scrutiny also play a role in potential reputational harm. A cybersecurity company selling services to defend other organizations may take a reputational hit when it falls prey to a breach. A breach that spills outward and impacts millions of consumers and multiple supply chain partners is going to be a bigger deal than one that involves a smaller amount of internal data. A breach that garners the attention of regulatory bodies, particularly one that results in regulatory fines, is going to reflect poorly on a brand.
The timeline of breach also matters to your brand.
How long did the breach go undetected? How quickly was it remediated after it was discovered? Were your business operations disrupted? Were customers unable to access your services or get your products?
“You can quantify lost sales; you can quantify lost market cap; you can quantify reduction in stock price, but I don’t know that necessarily helps you quantify brand damage,” says Rica.
Putting an exact number on trust is difficult. Some organizations that regularly conduct brand research may be able to gain insight into how a breach impacts stakeholder sentiment, and by extension their view of the brand.
“A lot of consumer-focused organizations may have a lot of brand research where they already do regular surveys of employees, regular surveys on their brand health,” explains Katie Clark, EVP of crisis and reputation risk and US head of data security and privacy at global communications firm Edelman. “Those can be good indicators to use or measure either through an incident or post-incident to see if there’s been any sort of change.”
Related:MOVEit Breach Victims Continue to Come to Light
Even if an enterprise can’t put a hard number on its brand value, that value needs to be safeguarded nonetheless.
Building a Plan to Protect Your Reputation
Organizations are increasingly aware that a cybersecurity incident is not a matter of if but when. This means leadership has a chance to prepare for an attack and potential brand damage.
“You need to have a broad, integrated crisis management program or cyber incident response plan [IRP] that deals not only with the responsibilities of the CISO or folks in the IT shop, but the responsibilities of other stakeholders across the entire enterprise,” says James MacDonnell, a managing director who handles reputational risk, crisis management and resilience at assurance, tax and financial advisory services firm BDO.
A plan to protect your reputation has a technical component and a communications component. And it is important to remember that the people responsible for each side cannot work in isolation.
All stakeholders need to be aligned.
“We can’t communicate unless the IT response is taking place, and there’s legal ramifications and risk to what we can communicate,” says Clark. That means the CISO’s team, the rest of the C-suite, general counsel, the communications team and any external partners, like a PR firm, crisis management firm, external counsel and the cyber insurance company need to be prepared with a coordinated response.
It is also critical to ensure all stakeholders know their role in communication following a breach. “If you do not have things like traditional and social media guidelines for your employees that says who is and who is not authorized to be a spokesperson on behalf of the company, you’re really setting yourself up to have a much, much harder day,” says MacDonnell.
Companies can run tabletop exercises for the technical and communication response plans for a breach. On the communications side, crafting holding statements for each potential impacted audience (consumers, employees, business partners and investors) can cut down the time it takes to craft a message in the event of a real breach.
Crisis Management
How a breach reflects on a company’s brand hinges in large part on how the crisis is managed and communicated. “Every breach and every response have different results depending on the company, depending on the nature of the breach, or the incident, and depending on how it’s communicated,” says Doron Goldstein, privacy and cybersecurity partner on the crisis management team at international law firm Withers.
Once a breach happens, it is time to put the IRP into action. With the new US Securities Exchange and Commission (SEC) cybersecurity incident reporting rules, the communication aspect of a breach may be on a tighter timeline, which further highlights the importance of building a plan before a crisis hits.
“You may not be able to have the flexibility or luxury to give people two days’ notice to kind of get up to speed. You may have to do it in two hours or an hour before you roll it out to a broader audience,” says Clark.
That timeline can feel rushed, but that transparency is part of protecting your brand.
“Being vulnerable and authentic … is important. Being able to say ‘Yes, we had this breach, and we’re asking our stakeholders like the federal government, or we’re asking insurance companies to come in and help us, that’s what helps you get through this,” says Jeremy Capell, CISO of critical event management platform Everbridge.
If an organization without an IRP in place suffers a breach, in-the-moment action carries significant risk of further brand damage. “If you don’t have a plan, and you don’t have a particularly robust sophisticated and large team, I think that’s the time to call in outside help,” says Rica.
Common Communication Mistakes
Data breaches are evolving events that necessitate a rapid response. Missteps are easy to make, even for enterprises that have prepared and tested response plans. But communication errors can compound brand damage.
Speaking too soon.
The pressure to get ahead of a breach story is immense. Wait too long and it appears like you are trying to obfuscate. But speak too soon and leadership may find itself walking back on its initial statements. The rush to get out a statement leaves room for conflicting statements. If the CEO says one thing and employee says another, you end up with muddled messaging that needs to be corrected. “Those things create a perception, or can create a perception, that the company either wasn’t giving full disclosure at the beginning, or it doesn’t know what it’s doing,” says Goldstein.
Failing to account for further compromise.
Do you know how much access a threat actor has to your systems? MacDonnell worked with a company that fell victim to a ransomware attack. As soon as the leadership team realized what had happened, they jumped into planning mode. They made the decision to pay, after much conversation over company email. When they went to make their offer to the threat actor, they were met with an unpleasant surprise. “The only thing that was provided back was a screen capture of an email from the CFO to the CEO where the CFO outlined how much cash they had on hand, what their insurance coverage was and what they thought the absolute most that they would be willing to pay,” he shares. An important part of breach response planning is having offline options for communication.
Forgetting about employees.
“I think one of the big audiences that organizations often forget about is employees,” says Clark. In the rush to update customers, business partners, investors and regulators, employees might be left in the dark. But employee perception and trust matter to a brand as well.
Shifting blame.
An enterprise may not have been able to prevent a breach, particularly if it is targeted by a sophisticated threat actor. But opting not to take any responsibility can appear self-serving or disingenuous. “One of the things that is often the case in crisis communication is coming across as making an excuse or blaming somebody else doesn’t generally go over as well saying ‘We are sorry, and we are going to improve,’” says Goldstein.
Long-Term Repair
Not every data breach is going to result in long-term brand damage. “If an organization manages the response in a good manner, manages it properly, is responsible, communicates well–those instances often do not have long-term impacts,” says Clark.
Whether a breach casts a lingering shadow on your brand is a matter of how well an enterprise responds to the immediate crisis and how it moves forward. “You can go through a crisis, and you can come out on the other end through that process and actually enhance your reputation or damage your reputation,” says Capell.
At some point, leadership needs to determine when it has navigated the initial crisis. When can it return to business as normal and demonstrate that it can be a trusted steward of data going forward? Many organizations struggle with making that transition, according to MacDonnell.
Conducting a breach post-mortem can help organizations understand not only how a breach occurred but also how well it was contained and communicated. Rica recommends bringing in “…somebody from the outside who has a completely independent view and completely fresh set of eyes.”
That process can help an organization improve its breach communication plan and harden its security posture, minimizing the chance of future brand damage. “It doesn’t matter how good a PR team you have, or how well-crafted your holding statements are, if there’s no substance behind it,” warns MacDonnell.
本文由数字化转型网(www.szhzxw.cn)翻译而成,来源于INFORWEEK.COM;编辑:数字化转型网默然。
免责声明: 本网站(https://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
