Posts

Data Breaches – It’s not if. It’s when!

Written on September 13, 2022. 10 days later, Optus.

Some years ago, I was purchasing a new road bike, all carbon fibre and unobtainium. The bike shop owner also talked me into a new helmet. His sales pitch was “you’ll need this for when, not if, you come off.” He was not wrong. I did, eventually, come off. Big time. Bruised ego, road rash, broken ribs, but a fully intact head. Which is more than I can say for the seriously cracked helmet.

In a world where everyone is collecting data on everyone else – even the taco sellers want you to order, and pay, via their App – it really is a case of when data security is breached, not if.

The pandemic and the ubiquity of the QR code has resulted in a flood of service providers driving customers online and onto Apps to execute transactions, most of which require input of personal and credit card details. What could possibly go wrong?

The answer is, quite a lot. In many cases the collected data is stored, and payment processed, by third parties. Another link in a chain of custody of sensitive information.

Are you certain that the data you are collecting, or that is being collected on your behalf, is secure? Other than general reassurances about security protocols and systems in place (most of which is indecipherable technical jargon) what tangible security measures are in place, particularly at the weakest points, being where your staff or contractors physically enter or access data?

Of the last four crisis management tasks we have been asked to assist with, three have been data breaches.

Managing a data breach is a complex task. Not only do the data security experts need to track down and plug the leak but a wide range of stakeholders, from customers to regulatory authorities to business partners and the media, all need to be sensitively communicated with and reassured that matters are (hopefully) in hand.

That requires a set of skills that are not usually held by day-to-day operating staff. Taking two important steps will help in navigating the challenges presented.

 First, assume it will happen to you and develop and rehearse a crisis management plan.

• Second, immediately you become aware of a potential breach, call in your crisis team, made up of key internal and critical external technical, communication and legal support, to work on responses and reputational protection.

The damage that can be done to corporate reputation by slow and inadequate response can be fatal. Even if the breach originated due to a failure within your organisation, if you move quickly, decisively and appropriately, you stand a good chance of minimising the damage, to you and to your customers.

In an interconnected world  where online security is continually being tested by bad actors, everyone understands that challenges may arise. It is how you respond that will determine whether you retain or lose trust.

The best way to ensure you respond effectively is to be prepared. Get a data breach crisis plan together, engage the necessary external support and rehearse.

When it does happen, move quickly to bring that team to the multifaceted task of fixing the breach, communicating with stakeholders and interested parties and rebuilding the trust that every business relies on.

RMK+Associates has long experience in preparing for and managing corporate crises, including numerous data breach incidents. We have long-standing partnerships with data security experts, we have comprehensive stakeholder management skills, and we can work closely with clients’ legal counsel to prepare for and respond to serious data breach events.

Are you ready?

Just in case you think we may be overstating the risk, here are only a few examples of recent cases that have created chaos:

Optus

Huge data breach. Up to 10 million customers impacted. Optus first suggests customers should use the My Optus App to find out what is going on. Massive fail!  CEO comes out next day with an almost tearful apology and promises of further restorative action, but still can’t specify what happened or how they will fix it.

Uber

Hacker gains access to all internal system through phishing attack. All Uber email systems and team online tools shut down for an extend period.

A 2016 attack stole the details of 57 million driver and rider accounts. Uber paid $US100,000 ransom to have the copies deleted and kept the breach secret for over a year. Uber’s then security chief charged with failure to disclose the breach to regulators and is currently on trial.

APT Travel Group

Attack takes down all booking systems and compromises data. Company refuses to confirm that it paid a seven-figure ransom to unlock its systems and recover data.

DoorDash

Phishing attack exposes customer data including partial payment details. Company has to cut off access to some third-party vendors and re-engineer its security protocols

International Committee of The Red Cross

Hackers gain access to personal data of more than 510,000 people worldwide. ICRC did not detect the breach for 70 days. Impacted servers taken offline for an extended period. Compromised data not recovered.

Toll Group

Suffers two attacks in one year, shutting down various elements of their online customer services and compromising customer data. Attackers demand a ransom, Toll refuses, endures weeks of disruption.

Time for the opposite of desperation marketing

By John Kananghinis

In last week’s special edition of Words + Insights we wrote about the need for businesses to stay calm and to communicate.

This week we explore how to communicate to customers, during times of crisis, in a way that will build trust by reassuring, offering value and being measured.

By now, almost everyone will have been deluged by notifications from a range of businesses advising of the measures they are taking to address the pandemic.

Too late, then, to discuss the initial salvo of communication. What of the ongoing?

As with all marketing it must be driven by addressing a customer need. Right now the customer does not need to know that you are desperate to shift product. They know. Bombarding them with desperation ‘offers’ and ‘opportunities’ will not help them cope with the unique circumstances. More than likely it will annoy.

Frankly, there are more important things to worry about than missing out on a ‘great deal’. And such an approach may also strike a particularly discordant note, as if not really recognising the situation.

Delivering customer value must orbit around the needs of the current circumstance. If a business offers an essential service, communication must be around reassurance. If not essential, there are still many ways businesses can demonstrate that they are aware of the situation and doing their bit to help.

We have already seen many stories of the repurposing of capabilities to assist in providing vital aid to the fight against coronavirus. Breweries and distilleries producing branded hand sanitiser, luxury goods brands manufacturing personal protective equipment, auto manufacturers building respirators. All positive reactions and all legitimate and appropriate topics to communicate to their customer base.

There are even tangential ways businesses can help customers meet current needs. Using connections and partners to provide practical assistance. For example, reading lists, YouTube channels or viewing lists, home cooking recipes, fitness at home ideas from linked sportspeople. The ideas are limited only by imagination.

The reality is that most businesses will face a significant fall in sales. But with the extra time customers have in front of computer screens there need not be the same drop in engagement.

For those providing discretionary products and services keeping communication going, with value-adding content, can also be an opportunity to keep building desire. Just allowing customers to view/build/configure their dream product or service is a soft sell that can be both enjoyable and diverting. Again, not trying to shove distressed product down their throats, but a distraction that may help get them through a difficult time.

In short, keep communicating, reassure, be imaginative, offer value, be relevant and don’t be a pest.

Businesses that stick to those principles will build recognition and loyalty that is sure to give them a head start when the crisis abates.

RMK+A has developed and implemented integrated communication and marketing plans for clients in sectors as varied as automotive, heavy equipment, transport and logistics, energy, tourism, waste, insurance, finance and professional services.

Keep Calm and Communicate

By John Kananghinis & Alexander Corne

If you’re not in your bunker expecting the worst and eying the corporate cyanide capsule, then you should be communicating clearly, calmly and with authority to the various stakeholders in your business.

Executives need to communicate in two directions at once, and largely with the same message; to their directors or owners above, and to their direct reports, below.

Ideally this downward communication should stretch further than just direct reports, all the way through the business. It needs to be personal, credible and straight-forward. Now is not the time for corporate-speak babble.

Every single person in the business is worried about how they will sustain life and lifestyle. Employees in constant fear for their jobs do not function optimally.

Then there are the external suppliers and customers to consider. They are equally confused and worried but need to be similarly calmed, consoled and corralled.

The key to successful communication in a crisis is firstly to avoid the panic of the talking-heads and media tarts. The crisis may be global but your response must be local.

The tools to deliver crisis communication are, today, easy to employ. The variety of online captive and public platforms make getting in contact, even face-to-face, very easy. However, it is the appropriateness of the platform for the message and clarity of the message itself that are the important elements.

From team member briefings to new services and operating procedures for customer care, to investor and partner information, all need to be communicated cognisant of the appropriate channel, tone and necessary detail for each audience.

The coronavirus emergency is likely to be with us for some time, during which rules and resulting business responses will change. To remain of value, communications will need to be current. Crisis communication is not a set-and-forget proposition, nor does one-size-fit-all circumstances. Continual assessment of the situation and updating of messages will be necessary.

Devising and delivering such ongoing communication can stretch the resources of even the most sophisticated corporate communications and/or marketing team.

This is where expert external support can make the difference between a perception of ineffective response or one of a business that is dealing with the situation in a manner that supports customers, team members and partners. A business well-placed to quickly return to growth in the eventual recovery will have a distinct commercial advantage.

RMK+A has advised and supported numerous organisations in times of difficulty and is equipped to offer a suite of communication advice and implementation support during this challenging period.

We have devised clear, cost effective, packages of support ranging from core customer and team communications through to detailed investor, regulatory and media relations. A discussion with us could help your business to navigate a smoother passage through these turbulent times.

Legends in their lunchtimes

As the basket at the foot of the AMP guillotine begins to fill, for those of us who have had the privilege (or curse) to have been active in business for more than 3 decades, the unfolding events appear all too familiar.

Hubris, and wilful blindness have never combined to end in a positive result. Never-the-less, both tend to manifest as part of a regular business cycle.

An outbreak of believing your own PR is likely to resulting in mounting casualties.

Business success depends not only on sound strategies – well executed – but, annoyingly, on a degree of luck, timing and a supportive broader social and regulatory environment. Too often management and boards can mistake a fair proportion of the latter three (delivered by regular variations in business and consumer confidence) for their own genius.

The resulting natural tendency is to lessen the focus on detail and begin rewarding one another for the job well done. A tendency naturally increased if it is other people’s money that is being used.

The mess uncovered at the AMP is almost certainly the beginning of a long stream of hubristically driven shambles that the, much delayed, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services will bring to light.

The damage to personal and corporate reputations will, in some cases be irreversible and in most cases, take long periods to recover from.

Two things confound and disappoint the public and work to lessen an organisation’s social licence to operate. First, the evident avarice-driven disregard for rules and customer benefit. Second, the failure of boards, as houses of review and management supervision, to identify and act on such abuses.

As professional communicators, we are regularly asked to convey good news and minimise poor outcomes when engaging with ‘stakeholders’ (read anyone who can impact on a share price that drives bonuses or who can tip folks out of a job). Both on principle and in the longer-term interests of our clients, we never knowingly misrepresent the facts. We may focus on one element more than another, but to lie is to ensure you will, eventually, get caught-out. An outcome that damages all involved.

Board members of any public company, industry body, not-for-profit or other such organisations have a responsibility to ask management the difficult questions, to challenge assumptions and, where necessary, to check the detail. Even if all is presented, on the surface, as good news.

In getting to the facts, too often we have witnessed situations where process is relied upon rather than proper answers. Instances where to us, as so-called spin masters, it is obvious that either not enough substance is present and/or too much pre-spin has already been applied.

Thankfully, few such cases have involved our existing clients. But we have worked on quite a few crisis management cases where the damage has already occurred.

Business cycles have, even in our relatively short experience, displayed a predictable regularity. A longer view of business history does not support an alternate conclusion. Executive management and boards should, in good times and bad, take a close look at how their businesses operate, how they generate the results, consider the prevailing conditions and ensure that they are well insulated from possible ethical, regulatory and operational failures.

If that is happening, the task for the communicators is to tell a good story, well. If not – welcome to the town square, with the crowd baying for blood. The most that can be done at that point (at great expense) is make the best of bad situation and prepare the ground for the successors.