For any organization, the primary objective of a “crisis” is to get through the event with as little long-term impact as possible. This means all the elements of your company that were thriving beforehand should still be thriving afterwards. From this perspective, it’s not enough to get a system back up and running after a data breach, if you’ve damaged other parts of the business in the process – for example, your customers lose trust in you and take their business elsewhere.
Recent data from Centrify and the Ponemon Institute suggest that customers are becoming increasingly sensitive to the impact of a data breach and how a company manages the response, with 65% saying a data breach had caused them to lose trust in the organization, and 27% discontinuing their relationship with that company. The 2019 Cost of Data Breach Report from IBM Security and the Ponemon Institute found that 36% of the cost of an average data breach was due to business disruption, a category that includes lost customers. The report also found that the average cost of a data breach was nearly $1 million lower when a company lost less than 1 percent of their customers. For those losing over 4 percent of their customers, the cost was roughly $1.8 million more. The report concluded that “the loss of customer trust had serious financial consequences,” on businesses experiencing a data breach.
It’s no secret that trust is a foundational element of any successful organization’s business model. If customers don’t trust you, they won’t do business with you. However, if your model is based on developing personal customer relationships or marketing your trustworthy reputation to drive new business, then it matters even more.
This makes your organization more vulnerable to the impacts of a cyber incident, because breaking trust with your customers through a poorly managed crisis response will have a greater impact on their decision about where to take their business. That is why incident response plans must account for the preservation of customer relationships.
So, then why aren’t more companies making that a priority during the incident response process? The answer is that too often the IT and security teams responsible for managing an incident don’t feel responsibility for promoting and preserving trust or reputation. In the Ponemon and Centrify report, 55 percent of IT professionals believed that a data breach would negatively impact reputation, but 71 percent did not see it as their responsibility to do anything about it. This leads to a significant disconnect when those teams are the ones running the show at the exact moment when preservation of trust – and customer relationships – matters the most.
Most incident response plans are rightly centered on the objective of fixing the problem and getting the impacted system back up and running with as little disruption as possible. But that singular focus misses the bigger picture. It ignores the part about making sure the organization is still thriving across the board.
So, how do you square that circle? How do you maintain customer relationships while you’re working to mitigate the impact of an incident? The answer is through good communications practices, and they start before anything ever goes wrong.
There are a number of steps you can take to preserve your high-trust customer relationships in the wake of a data breach. Here are the three most important:
1. Build up your trust bank
When a significant data breach hits, you’ll need everyone’s goodwill to ride out the storm. It’s always interesting to see how much slack a company is given when everyone is already predisposed to trust them. So, invest the time and resources to build up your trust bank before you need it.
To do that, improve your communication efforts with your customers now to shore up your reputation as a trustworthy organization, and when disaster strikes, those reserves will be there to buy you a little breathing space. Draw on them, as necessary, and once the dust settles, focus on refilling the bank.
2. Walk and chew gum
After a data breach, many companies make the mistake of focusing solely on the technical details of incident remediation, without fully accounting for the health and wellbeing of the underlying business. Remember that the goal is to thrive across the organization. If you can’t walk and chew gum at the same time, your organization may recover technically, but you will pay a higher cost to recover your business in the long-run.
When an incident has occurred, make it a priority to communicate with your stakeholders while the remediation is underway. Not just the ones directly impacted, but the appropriate gray area stakeholders, as well. This won’t take away from your efforts on the technical side, but it will contribute to the overall resilience of your organization.
3. Focus on the listener, not the speaker
Good communication engenders trust. This is a truism from across the business world, and it holds true throughout a data breach. Rather than simply checking the box and sending information to those stakeholders you’re legally required to notify, think of it as an opportunity to strengthen your customer relationships.
By focusing on what your customers need to hear, rather than what you want to say, you can transform your generic breach notification letter from being a laundry list of legal terms and empty platitudes to a document that is actually useful and well received. Customers appreciate transparency, and when you prioritize straightforward information and language, you stand a better chance of preserving those valuable relationships in the long run.
With an overall objective of coming through a crisis with a business that continues to thrive, it becomes imperative for security teams to account for all parts of a business during an incident response, not just the technical details of the event. A key component of this is maintaining your customer relationships and reputation by making it a priority to effectively communicate before, during and after an incident.
Copyright © 2019 IDG Communications, Inc.