In the world of cybersecurity, communication plays a critical role in how companies navigate and respond to data breaches. The importance of transparency and honesty when communicating about cybersecurity incidents cannot be overstated, as highlighted by recent events involving companies like Uber and Okta.
The case of former Uber chief of security Joe Sullivan serves as a cautionary tale of the consequences of failing to communicate honestly about a data breach. Sullivan was convicted by the U.S. Department of Justice for his involvement in a 2016 hack where hackers stole data on 57 million customers. Instead of coming clean about the breach, Sullivan orchestrated a cover-up by paying off the hackers and keeping the breach hidden from external stakeholders and Uber’s new management.
This lack of transparency and the subsequent cover-up only exacerbated the situation for Uber, leading to legal consequences and reputational damage. The incident serves as a stark reminder to other enterprise leaders that the failure to communicate openly about cybersecurity incidents can have far-reaching implications.
The importance of communicating early and often during a cybersecurity incident cannot be emphasized enough. Jon Collins, VP of research at GigaOm, highlights that every risk is a business risk, and attempting to cover up a breach shows a lack of coherent thinking. Instead, companies should prioritize owning up to their mistakes and communicating promptly to mitigate the impact of the incident.
A prime example of miscommunication during a cybersecurity incident is the case of Okta, where a delayed response to a cyber attack on one of its vendors, Sitel, led to customer frustration and confusion. Okta’s Chief Security Officer, David Bradbury, admitted that the company should have communicated more quickly and effectively after the incident came to light.
Jenai Marinkovic, CISO at Tiro Security, stresses the importance of being upfront and transparent about cybersecurity incidents, even if all the information is not yet available. Companies should prioritize sharing what they know initially and provide updates as the investigation progresses to maintain trust and credibility.
A robust communication strategy during a cybersecurity incident hinges on a thorough risk assessment. Marinkovic emphasizes the need to tailor communication plans based on the type of breach and the potential impact on stakeholders. By conducting a comprehensive risk assessment, companies can ensure that their communication efforts are accurate and effective.
In addition to accurate communication, bridging the language gap between technical experts and non-technical stakeholders is crucial. Marinkovic advises involving governance, risk, and compliance teams in crafting external communication strategies to ensure that technical information is translated effectively for all audiences.
Furthermore, organizations must be vigilant about maintaining a single external communication channel and training employees on what they can and cannot disclose during an incident. Internal leaks and inappropriate communication can undermine a company’s formal communication strategy and create additional security risks.
In the aftermath of a data breach, engaging the right PR firm and communicating authentically and transparently with affected stakeholders is essential. Professional communicators versed in cyber-crisis scenarios can help companies deliver clear and concise messages about what happened and how they are addressing the issue.
Overall, the key takeaway from recent cybersecurity incidents is the critical role that communication plays in managing and mitigating the impact of data breaches. By prioritizing transparency, honesty, and authenticity in their communication efforts, companies can navigate cybersecurity incidents more effectively and maintain trust with their customers and stakeholders.