Few things elicit greater fear than the moment an organization realizes it has been breached. Picture executives descending into sheer panic and security teams scrambling madly as they assess the situation and attempt to limit the damage. And it's little wonder why: A breach can prove costly — often to the tune of tens of millions of dollars — destroy a brand's reputation (if not the brand itself), and lead to huge regulatory penalties.
When a breach occurs, how teams act and react has everything to do with how quickly and smoothly an organization gets back on track.
"It's not a question of whether there's going to be pain and damage. It's a question of how much," says Alan Silberberg, CEO of Digijacks, a cybersecurity consulting firm that advises on crisis management.
Make no mistake: Etiquette matters. Although a typical breach scenario may seem far removed from a "Miss Manners" advice column, there are important takeaways about how to manage events and issue a meaningful mea culpa.
"How you react and communicate are critical," says David Burg, Americas cybersecurity leader at EY.
Here are four etiquette rules for navigating a breach.
Etiquette Rule #1: Understand the Rules of Engagement
While a cyberbreach and eating out may seem worlds apart, consider the similarities: First, Burg says, you have to know what's being served up and what response is appropriate. Chowing down at a food cart isn't the same as going to a 3-star Michelin restaurant.
"There's a completely different set of expectations and standards about how you dress, how you behave, and how you eat your food," he says.
In the business world, a financial services firm or healthcare provider that has strict regulatory reporting requirements must handle a breach differently than a restaurant or plumbing supply firm. This doesn't mean, however, that a mom-and-pop shop gets a free pass.
There's also a need to understand the nature of the intrusion.
"It could be malicious but limited in scope, or it could be a massive breach," Burg says.
He suggests first determining whether the problem is damaging or simply embarrassing.
"In some cases, it may be PII or a trade secret that has been stolen in small quantities," Burg points out. "In other cases, you may be dealing with a massive ransomware attack or destructive malware, such as a Stuxnet attack."
Etiquette Rule #2: Say What You Know
During the immediate period following a breach, it's vital to move fast — but not trip over yourself. A common problem, Silberg says, is delivering inaccurate and ineffective information, which only serves to increase confusion and sow mistrust.
"It's critical to know the extent of a breach and communicate about it clearly and accurately. If you don't know, then you say what you know and provide an update later," he says.
This can be tricky, of course. In some cases, an organization may want to avoid revealing too much for fear it offers crooks a blueprint for how to ratchet up attacks in the future. If the event is embarrassing, it can be tempting to try to sweep it under the rug — particularly if there are no regulatory requirements.
But this doesn't make the problem go away. For one thing, news may eventually leak out. For another, "You can create a bigger problem and increase your risk of legal action, including partner and customer lawsuits," Silberg explains.
The bottom line is to stay ahead of the messaging, say what you know, and avoid discussing what isn't clear, he says.
"It's OK to say you're not prepared to make a statement yet; it's another thing to appear evasive or lie," Silberg says.
Good communication revolves around how, when, and how much, Burg adds.
"You want to be able to wrap your mind around what happened and have a high degree of confidence that you're communicating accurate information," he says.
Etiquette Rule #3: Be Ethical and Sincere
As with any issue involving etiquette, there's a need to abide by ethical obligations and show respect for those adversely affected. This includes business partners and customers. Sincere apologies are important. Insincere actions usually dig a deeper hole. For instance, offering a coupon or tossing out a discount code probably won't convince anyone that you really care. In fact, it can backfire.
"It may look like you're simply trying to buy loyalty," Silberg warns.
The ability to adhere to both written and unwritten rules is essential. A solid crisis response plan makes this possible. It minimizes the risk of turf wars and internal warring that can occur when the screws tighten and the pressure builds. A good plan encompasses everything from the role of the board and C-suite to how to navigate IT issues, cyber insurance, and communications. Ideally, it involves senior IT specialists, security experts, legal experts, and communications specialists.
A sound plan outlines roles and responsibilities, but also offers specific contextual steps to navigate through the breach. In other words, it clearly articulates ifs and whens. Yet it's also more than a checklist. An excellent plan builds in flexibility based on a company's position in an industry, its size, legal, and regulatory requirements, and the data that was breached. Typically, it's wise to have the plan vetted by third-party experts.
"If you have to devise a plan on the fly, it's too late," Burg says.
Etiquette Rule #4: Practice Makes Perfect
Think of a breach response as something akin to a wedding. Participants practice the ceremony over and over until words and actions become second nature. What's more, others know their roles. The result is an ability to remain calm and confident if a problem pops up.
"When you are properly prepared for a breach, you can call an audible, make adjustments, and deal with whatever happens," Burg explains.
In the end, it's important to recognize that breaches happen, even to the best protected and most prepared organizations. Just as good etiquette and table manners can guide you through a business meeting or dinner party, they can be your friend during a breach.
Says Silberg: "When you do things right and take an ethical approach, you maximize the odds that you will minimize the damage."