How to tell your customers you’ve been hacked

Communication in a crisis is a key part of cyber resilience.

Sign Up

Get the New Statesman's Morning Call email.

While the short-term costs of a cyberattack can be significant for a company – causing losses in productivity and revenue, the need to compensate customers and even to pay fines – the reputational damage that comes from having lost sensitive data represents a long-term risk to the public perception of the business.

When TalkTalk was hit by a cyberattack in October 2015, the direct impact was worrying for the company – alongside the costs of detecting and securing the breach came a £400,000 penalty paid to the Information Commissioner’s Office – but the longer-term costs from reputational damage have been much more severe. More than 100,000 customers have gone elsewhere, and the company’s share price is less than half what it was at the time of the breach. The hack itself ultimately proved to be less extensive than first feared, but customers were left less than impressed by the company’s poor handling of the attack in its early stages, which included delaying the announcement until after the police got involved and a refusal to end customer contracts without incurring charges.

The impact of bad publicity is never completely quantifiable, but a poorly handled cyberattack can affect how a company is perceived by customers and investors for years after it happens. An effective communications strategy is crucial, then, to a company’s capacity to cope with a cyberattack.

Being prepared

Neil Stinchcombe is the co-founder of Eskenzi PR, a specialist agency that deals with cyber security. Stinchcombe says there is a growing consensus that true cyber resilience “should operate from the position that it is a case of when, rather than if, a security issue occurs.” Preparing for a worst-case scenario, even if a company has all the most sophisticated counter measures installed, will allow some “breathing space” for when that worst-case scenario eventually happens.

While it is important to inform the public and minimise panic, Stinchombe says it’s also crucial that people working in the affected company have a full picture of events. “Make sure that your [communications] strategy also covers internal dialogue, social media and [what you tell] journalists. A clear and consistent message, company-wide, will make a huge difference to the impact on your company’s reputation. You’ve got to appear in control.”

Barnaby Fry, head of crisis and risk at MHP, a strategic communications consultancy that works with American Express, Aviva and Uswitch, reiterates that it’s crucial to prepare in advance. Reputational recovery, he says, “starts in the first few hours of [detecting] the issue. Handle it well, and the long-term recovery will be less of a hill to climb”. It’s also important, he says, to listen to experts. “Your communications protocols for cyberattacks and data loss must be fully aligned with the technical and operational response, which should include customer services.”

Nic Daley, cyber security lead at H+K Strategies, agrees that companies should pre-assign roles to different teams within a company’s staff, so that in the event of a cyberattack, “everyone should know what they’re supposed to do.”

“People should be able to pass the baton”, he observes. “The legal team can advise on the legislative reporting timelines and requirements, such as notifying the regulator and so on. There has to be a fine balance of managing the message” but for Daley, “that message has to be led from a PR perspective.”

While speed and transparency are both valued in measuring the quality of a company’s response to a cyberattack, there are still cautionary tales to be appreciated about rushing to issue a response and revealing too much. “We often see companies rushing to communicate,” Daley says, “which is a noble but potentially naïve pursuit. Companies need to adhere to the legislation, such as the General Data Protection Regulation (GDPR), in respect of regulator notification and honour the terms and conditions of any contracts. But the GDPR states that individuals must be notified ‘without undue further delay’, which, to be honest, won’t always mean that you’re advising people within 72 hours.”

Giving an incomplete picture could in some situations be less responsible than waiting for the truth. “There is often a significant amount of IT forensic work that’s required to understand the nature and scope of an attack. We’ve dealt with cases where firms have been held to ransom by hackers over the course of several weeks, without necessarily being able to determine the information that’s been compromised.” In cases like this, Daley says, “there are serious judgement calls to make on an almost daily basis.”

As well as having clear messaging, Daley says companies need to think about the communications “infrastructure” needed to manage customer demands and the media. “Do you have the right call centres set up if required? Is the social media team briefed with responses to the storm that might hit online?”

Barnaby Fry adds that companies can make the mistake of “over-speculating” before the facts of the attack have been established. “It’s a mistake to try and pre-judge a cyber crisis. If you don’t know, just say you don’t know, and focus on how you will find out and what you will do about it. It’s easy to blame a cyberattack on some sophisticated criminal organisation or aggressive foreign state, but it could have been orchestrated by a teenage hacker in his bedroom.” Quite; TalkTalk was left red-faced after the attack it suffered in 2015 was found to have been orchestrated by a small network of hackers, some of whom were still schoolboys. “The key is to share only what you know is 100 per cent correct.”

Cyberattacks, according to Daley, provide insight into the “fascinating dynamic” of victimhood. “In the event of a cyberattack,” he explains, “both the business and the customers see themselves as the primary victim. The challenge for the business is to adopt the mindset of the customer. Reputational recovery involves re-establishing trust, which means adopting a personal, human-led communication strategy to demonstrate to customers that you understand their concerns, and are genuinely doing all you can do to prevent it from happening again.”

Saying sorry

Language, the PR experts concur, must be chosen carefully in the wake of a cyber incident. While details remain unclear, Neil Stinchcombe advises, “the worst mistake to make is to refer to a breach as a breach, rather than an incident, as this immediately makes it a notifiable event to the regulatory authorities.” If a data breach is identified, the law requires that companies disclose it, but Stinchcombe says it is important to establish the facts first before going public. “You need be as accurate as possible before you report a breach to a regulator, your customers and the media.”

An excess of jargon or corporate speak, Daley warns, prevents empathy from being conveyed. “Businesses should scrap the word ‘notification’, and replace it with ‘dialogue’ in my opinion. It has to feel two-way and relational. There’s no merit in a fashion brand sending a mass email talking about a ‘DDoS-related cyber incident’. Businesses need to communicate the facts about what’s happened, what the business is doing about it, and empathise with customers who will understandably consider themselves more vulnerable than the multi-million pound company.”

Alongside empathy, Daley says, companies must also show contrition. While “lawyers might be reluctant” for a business to admit culpability, he suggests, “saying sorry is often the first step to repairing reputational damage.”

As sales and services continue to move online, more and more people are uploading sensitive and personal information to companies’ cloud systems. There is an expectation, “rightly or wrongly”, Daley says, for data to be “kept safe”, and for companies to invest in security and resilience.

Stinchombe agrees that prevention remains the ideal goal, and that regardless of the size of a business, all companies should be “agile” and responsive to the requirements of security. “Cyber security is principally about people, processes and technology. Larger companies are more likely to have the resources needed, provided that senior management view it as a priority. As companies get smaller, they are more likely to lack the resources, so may need to use a third-party provider to offer the skills and technology they need.”

But as criminals develop their own cyber skills, the need for people and processes that ensure effective communications is growing. When a cyberattack happens, a swift technical response must be complemented by the explanation and demystification of complicated issues, the release of information, and a candid and empathetic approach to the needs of the people affected. As Fry puts it: “Any compromise of data has the potential to inflict heavy reputational damage that can hit your bottom line, so it is worth investing the time, money and effort to ensure that you have a robust communications protocol and playbook in place.”

Rohan Banerjee is a Special Projects Writer at the New Statesman