• Crisis Management: How organisations can prepare better when the next data breach strikes

    By Lena Soh-Ng on August 01 , 2019

    Just this week, international beauty retailer Sephora admitted to a breach of its online users’ data, affecting customers in Singapore as well as in other countries including Malaysia, Indonesia, Thailand, Philippines, New Zealand and Australia. News quickly went viral, gathering significant attention and sharing amongst various media outlets and online netizens.

    Sephora’s data breach has made headlines on major news outlets, and garnered attention on social media

    Such incidents, while not the first of its kind, will also likely not be the last we will see in the near future.

    As TechTarget said, “Assumption of breach is the new norm.” Fortified online security walls are growing weaker by the second, as online predators are developing new coding formulas. While crises often happen unannounced, the increasing unpredictability of the digital world calls for planned crisis management strategies to be put in place.

    Here are some hard facts:

    Brands and organisations who suffer data breaches risk losing their customers’ trust

    According to a study by KPMG, 19% of consumers said they would completely stop shopping at a retailer after a breach, and 33% said they would take a break from shopping there for an extended period.

    Data breaches can also cause significant financial impact

    In 2018 alone, according to IBM Security findings, the average cost of a data attack in Southeast Asia can stand at $2.53 million.

    Effective reputation management extends beyond just reacting to a mishap as it happens – it is developed from the start. Whether big or small, modern or traditional, it remains integral that organisations are built on stable crisis management structures.

    Here are important considerations in crisis management:

    Prepare for regular crisis audits to stress test systems

    Crisis auditing is essential in any crisis management strategy. Take for instance, one of the biggest data breach incidents that shook the world – the Facebook crisis that affected 87 million users. When CEO Mark Zuckerberg issued his response only five days after the incident blew up online, Facebook’s shares had already fallen by 17%.

    Carefully crafted and comprehensive response plans are essential. This involves planning for the worst possible worst-case scenarios, determining which stakeholders would be affected and how. Systems that have to be in place and can be activated immediately are important. Dry runs are also useful in preparing teams to be crisis-ready.

    Real time updates – an integral building block of trust.

    Generally, customers like to be in the know – more often than not, it is not a formal apology they seek, but the company’s transparency and genuine desire to rectify the issue. For example, in 2017, Gitlab (a software development company) accidentally removed clients’ data from the primary database server. This led to 18h of downtime, affecting clients such as IBM, Sony, NASA, and Alibaba. The company swiftly gave updates on their social media explaining what had happened and  how they planned to fix it. They also set up a social audience engagement strategy – constantly updating their audience via Google Doc, a hashtag #HugOps and even live-streamed the problem-solving process.

    Owning the mistake and ensuring clear communication is key to building trust.

    Response time is key

    Target’s 2014 incident is an example of an effective crisis management strategy. They transformed their Facebook and Twitter pages into direct lines of communication with customers, updating customers on its investigation progress, call centre response time, and offering monitoring services. The CEO’s message was also published on the company website with the necessary social sharing functions. Their thorough crisis engagement with customers proved their commitment to defending customers’ privacy and wellbeing.

    While data breaches are sensitive and can generate widespread unhappiness, companies who take to the discussion pages can intercept sources of inaccurate information and extend their genuine remorse for the incident. Organisations should also reply the negative comments.

    Build relationships with external stakeholders

    As the African proverb goes – “If you want to go fast, go alone. If you want to go far, go together”

    This is often overlooked. In the case of a data breach, there are companies in this space that can provide perspectives such as types of threats at the time, processes that companies have undertaken and put things in perspective for the media. Companies do not have to tackle the issue all by themselves. Apart from data forensic companies, external stakeholders can also include industry associations and consumer watchdog groups.

    Take for example, SingHealth’s massive data breach in 2018 that affected over 11 sectors including government, banking, healthcare and more. Apart from the Government’s statement, the Cyber Security Agency (CSA) also disclosed thoughts in a review of the public sector’s cyber-security policies together with the Smart Nation and Digital Government Group (SNDGG). The provision of multiple external opinions served to add greater assurance to the audience.

    The Crisis Recovery phase is often overlooked

    In many organisations, the post crisis recovery phase is the least planned for. When Huntington Communications managed a food scandal for a global furniture retailer, the post crisis phase of offering meatballs at $0.10 each caused long queues, strong editorial approval and resulted in a Singapore Book of Records title for the most number of meatballs sold in a day. It was a runaway success, which would not have been possible without proper planning.

    While crises often cannot be predicted, companies can be prepared. After all, the reputation of a company is made up of the sum total of all its stakeholders’ perceptions.