Black Friday may be a bonanza for retailers in revenue terms but it also represents a key risk day for them and their customers, in the guise of the heightened threat of a cyber-attack, according to the consultancy ThreatMetrix. It has warned that online criminals will be super-active over the festive period, starting from today and is predicting hacks will double this year compared to the data-breach levels it measured last year.
Of course, data-breach causes crisis for a company whatever the time of the year. The IT and reputational challenges are considerable. But now in the wake of Ashley Madison and Talk-Talk, victim companies are likely to be more in the spotlight than ever as the media look for further examples of data-hacking and to assess how the company concerned is handling their crisis.
There are various PR lessons to be learned from recent high-profile cyber-events which we summarise here:
- Dont speculate on the perpetrator: it’s fine to say the police or NCA are investigating so it would be inappropriate to comment.
- Don’t overplay the victim card: customers will have little sympathy that IT systems weren’t robust enough to keep hackers out.
- Do be clear, honest and transparent on the data accessed and the implications – identity only, bank details, photos or whatever. Trying to hide the true extent will only come back to bite you. However it may be possible to take some heat out of the problem, if you can relativise it or talk of active customers or whatever.
- Do give logical advice and assistance about password changes required.
- Do try to communicate with customers directly and not just through the media – post FAQs on your website, have extra phonelines manned 24/7, respond rapidly to tweets and social media posts. A customer back-lash on twitter for example can fast become a traditional media story the next day if not swiftly dealt with.
- Do judge when the CEO should front-up to media enquiries to show you are taking the issue seriously.
- Do apologise to customers: don’t let the lawyers talk you out of that one, regardless of the class action lawsuits in the wings. You can ask for patience and understanding in the eye of the storm as you fix things but sorry is important to say.
- Don’t be afraid to be transparent about some of the IT fixes being put in place. It can hopefully be done without opening the company to further risk. However the tech and financial community will judge you wisely if you are investing in the right upgrade.
- Do offer customers compensation of some kind after the event: this can go a long way to take any bad taste away for the fact their data has been stolen, even if the threat was notional and not in fact hugely impactful.
- Do be prepared to talk about your experience after the event. For customers and stakeholders to know you have learnt from the experience can be hugely reassuring and it helps draw a line in the sand to be able to move on.
Bell Yard has worked on various breach situations both in the background giving objective advice away from the fray, and in the front-line handling media on a client’s behalf. The crisis typically lasts 3-5 days and then the calm comes…until any fine from the ICO resurrects the issue.