3 Steps to Effectively Plan and Be Ready for a Customer ... · 23 percent, to $3.79 million.⁴...
Transcript of 3 Steps to Effectively Plan and Be Ready for a Customer ... · 23 percent, to $3.79 million.⁴...
3 Steps to Effectively Plan and Be Ready for a Customer-Facing
Breach Response
BRAND STUDIO
A s cyber attackers become savvier, and
as companies do the work to be ready
to respond to a breach, one element must stay
top of mind: The customer. It’s one thing for
customers to have their data compromised —
that can be remedied. However, if a company
botches the breach response, it will be much
more difficult to restore customer trust and
rebuild its brand. Data breach responses that
deliver authentic and supportive customer
experiences help companies minimize damage,
expedite recovery and get back to business
faster.
According to a 2015 Security Week article,
“Organizations are committing considerable
time, talent and money to the task of preventing
breaches. The good news is that organizations
have successfully cleaned up many mistakes
that led to past breaches. The bad news is
that even with these efforts, attackers are
actually more successful, not less.”1
Companies are beginning to recognize that
having a comprehensive customer-facing
response strategy in place before a breach
occurs is imperative.
BRAND STUDIO
With so many moving parts during a data breach
and subsequent response, it can be difficult
to determine the best approach to rebuilding
customer trust. Here are three steps companies
can take to be ready to deliver the best possible
response that works not only for the company,
but for their customers as well.
2
1. Don’t Look Down, It’s Time to Scale Up
T he most effective data breach response
is planned and tested long before the
breach occurs. This requires careful planning
and consideration of what a company — and
its customers — might need, depending on the
particulars of the industry and the risk associated
with the type of data collected.
When a company is breached, the plan needs
to be put into action, and fast. Most companies
don’t have the capacity to handle the volume
of incoming customer calls or the special-
ized training to properly address their needs.
Securing a partner that can handle that piece
of a data breach response is key to putting the
customer-facing response into action.
“Companies need to make sure they’re working
with a partner that has enough capacity and
experience to help them respond quickly and
efficiently to a data incident,” says Jessica Smith,
Director of Incident Response for AllClear ID,
a company that specializes in data breach
preparation and response. When customers are
scared and upset, they want to talk to someone
who can help. Sending them to a third party
to answer their phone calls only to endure a
90-minute hold time cannot be the first part of a
data breach response a customer experiences.
“That’s the piece that they can touch and hold.
They see that happen and they don’t have any
reassurance at all that the company is doing the
right thing to protect them,” Smith adds. While
companies often focus on closing any loopholes
and patching the vulnerabilities that allowed the
breach to happen, shifting that focus to include
customers is imperative to recovery.
Breaches are unpredictable events and for
most companies, day-to-day business opera-
tions don’t stop during a crisis — so you’re now
juggling normal operations with the addition of
BRAND STUDIO3
Companies need to make sure they’re working with a partner that has enough capacity and experience to help them respond quickly and efficiently to a data incident.”
Jessica Smith, Director of Incident
Response for AllClear ID
“
BRAND STUDIO4
a large, visible, stressful new project. And most
companies will not succeed unless they have
help from experts to make it through. Planning
and securing capacity before a breach occurs
ensures enough dedicated employees are on
hand to guide customers through the recovery
process. This level of preparation empowers
companies to deliver superior customer service,
and more importantly, is the best chance for a
positive outcome.
Key Takeaway: Customers want the most
updated information when they need it, and
every minute they have to wait for it further
erodes trust. Make sure your customer-facing
response plan includes securing the capacity
required to respond to customers immediately
following the breach, and the resources to guide
customers through the recovery process.
2. Loud and Clear: Crafting the Right Message
W hen a data breach occurs, what a
company says to customers, the media
and regulators – and how it says it – is critical to
recovery. Clear, consistent communication can
go a long way toward rebuilding customer trust,
so it’s crucial that the response team is equipped
with the knowledge and skills to address
customers and the media to restore confidence.
Smith notes that launching a data breach
response is a lot like launching a new product,
albeit with a much shorter, unpredictable
timeline. While a company might take months, or
even years, to launch a new product, a breach
response happens much faster. But she also
says that doesn’t mean companies should be
hasty in their response — before a company
pushes communications out to customers
and media, they need to make sure that they
first have all of the facts of the breach straight.
“Contain the incident, know the facts and then
notify your customers,” Smith says.
In 2013, retail giant Target experienced a data
breach that left customers reeling — in large part
because the details on what information had
or had not been compromised kept changing.
That’s confusing to customers, and added stress
during an already stressful time. As many as 40
million shoppers had their information compro-
mised.² The retailer kept sharing information
with the public in an attempt to reassure its
customers, but the approach of sharing un-
confirmed information that changed frequently
eroded trust instead of building it.³
“After these types of incidents, customers want to
know what happened, they want to know what
the company is doing to fix it, and they want to
know how the company is going to help them
BRAND STUDIO5
if they need it,” Smith says. That’s a big part of
the reason why clear, consistent communica-
tion across all platforms — press releases, the
company website, employees at the call centers,
letters to individuals — is so important when a
breach occurs. While it may be tempting for a
business to release all the information they have
as soon as possible, it’s best to confirm all facts
before releasing them publicly. This strategy
helps rebuild trust by providing a clear, consis-
tent message that does not change from one
day to the next.
In addition to words, a company’s actions are
just as important during a breach response.
Providing customers with easy access to the
protections they need most is a simple way they
can show they understand their customers and
are ready to help.
If a consumer suspects fraud, for example, Smith
says, “they want to be able to call us at any
time and our investigators will help them. They
don’t want to have to enroll in a product, and go
through a lot of work to get the protection they
immediately need.”
Key Takeaway: Building a cohesive communi-
cation plan in advance of a breach is necessary
to remain on message and reassure customers
when a breach occurs. What, when and how
your company communicates to customers, the
media and regulators after a breach goes a long
way toward rebuilding trust.
BRAND STUDIO6
“Contain the incident, know the facts and then notify your customers.”
Jessica Smith, Director of Incident Response for AllClear ID
3. Putting Appropriate Protections in Place
N o two data breaches are the same, but
after any breach, many customers have
the same feeling — they want to know that if they
are harmed because of the breach, someone will
help them resolve the problem.
Customers are a company’s biggest asset — so
you need to treat them as such in the event
of a data breach. Offering appropriate identity
protections to customers after a breach not only
reassures them that the company is on top of
things, but also helps minimize any potential
damage that may result from the breach.
Determining which protections are most appro-
priate to offer is an exercise that can be done
before a breach occurs, but they must remain
flexible. It boils down to what kind of data was
lost or compromised. If, for example, Social
Security numbers are compromised in a breach,
then offering credit monitoring is appropriate.
That was the case in 2015 when a large health
insurance company experienced a widespread
data breach that compromised Social Security
numbers and health records. Credit monitoring,
in that instance says Smith of AllClear ID, was
one of the appropriate offerings for customers.
If, however, it’s a point-of-sale breach where
credit card information only was stolen, credit
monitoring isn’t always necessary or appropriate
based on the risk of the data lost.
“A lot of time, companies don’t have the names
and addresses to notify anyone if it is just the
BRAND STUDIO7
credit card number that is exposed,” Smith
explains. In these cases, an alternative to
credit monitoring would be more appropriate,
depending on what a company has to offer.
While it is virtually impossible to know what type
of data breach will occur before it happens,
companies should prepare by analyzing the
different types of data they collect and store to
determine what would be the best customer
offering in light of a breach.
Not all companies collect sensitive data on their
customers — nor should they, if it’s not needed
— which can change their customer-facing
breach response and subsequent protection
offerings. Doing a data assessment is critical,
Smith says, so a company can understand what
its worst case scenario would be, and work on
their customer-facing response plan from that
starting point.
And then, test the plan. Do a mock data breach,
if the capabilities are available, and have round-
table discussions to get input from others in the
company. Making sure you have everything
accounted for when responding to customers in
a short period of time is imperative, Smith says.
It’s time well-spent on the front end, before a
breach occurs, rather than after one when your
business is in crisis mode.
Key Takeaway: Offering appropriate protections
that put customers first is a critical step in rebuild-
ing trust. Analyzing risks and remedies associat-
ed with an organization’s particular type of data
and testing the plan help mitigate the negative
effects on customers.
“Doing a data assessment is critical so a company can understand what its worst case scenario would be, and work on their customer-facing response plan from that starting point.”
Jessica Smith, Director of Incident Response
for AllClear ID
BRAND STUDIO8
I n the past two years, the average cost of a
data breach to an organization has jumped
23 percent, to $3.79 million.⁴ While breaches,
unfortunately, are seemingly ubiquitous these
days, companies can take real, proven steps in
advance of a breach to be ready to respond to
customers successfully if an incident is discov-
ered.
Acknowledging that a breach could occur,
and establishing a response plan ahead of
time can mitigate the damage a breach may
cause. Even the most robust incident response
plans, however, often fail to address one of
the most critical aspects of a breach response:
the customer-facing response. Ensuring that
any data breach response starts and ends with
the customer at the center of the plan goes a
long way to restoring confidence and retaining
customers.
Conclusion
BRAND STUDIO9
AllClear ID is the leader in customer security, providing data breach response
services to businesses that aim to protect their greatest asset: customers. As
an industry leader and trusted partner with more than 10 years of specialized
experience in data breach response, AllClear ID has helped thousands of
businesses prepare for, respond to, and recover from data breaches, including
successfully managing three of the four largest and most complex breach
responses in history. The award-winning AllClear ID team is recognized for its
expertise, customer service, and innovative solutions.
Learn More
1. http://www.securityweek.com/data-breaches-numbers
2. http://money.cnn.com/2013/12/18/news/companies/target-credit-card/
3. http://www.bloomberg.com/news/articles/2014-03-13/target-missed- warnings-in-epic-hack-of-credit-card-data
4. https://securityintelligence.com/cost-of-a-data-breach-2015/
Sources