Can a Crisis Plan Be a Greater Threat Than a Data Breach?
In this digital era, data breaches can come at any time and from any direction. Threats emerge from unexpected places, and the potential damage to a company’s customers, reputation and bottom line are often driven or escalated by social media and develop at a frighteningly fast pace. The all too often result is an organization and its crisis team struggling to coordinate ongoing speedy and effective responses.
Take the Target data breach of a few years ago, for example. After Target’s IT systems had been hacked, exposing the personal data of up to 110 million customers, Target issued a statement the following day and posted a video with more details on its website. The company apologized, explained how the hack had happened, and offered free credit monitoring for affected customers.
Unfortunately, there were a few key problems with Target’s response. First, it responded before officials were fully aware of the scope and cause of the problem. This forced them to later walk back some of its statements, such as the number of customers whose information was hacked. In the eyes of the consumer, it made Target seem unprepared, unprofessional, and even a bit suspicious.
Second, Target posted the message from its CEO to its website and then later realized it wasn’t garnering many views. That was because most consumers were taking to social media—not to the website—to air complaints and interact with the company. This offered a valuable lesson to Target, and others, to respond to a crisis using the appropriate channels.
This case, and many others, illustrate why it’s vital to build crisis plan that is ready for the digital age – just how the crises begin and balloon. You can build one from scratch or go with a crisis app that will allow you to get up and running much more quickly.
Here are the top things to consider:
First, ensure your plan differentiates between an issue and a crisis. Every adverse incident is not a crisis. Treating every issue like a crisis leads to an over-reaction that may draw more attention and more adverse comment onto your organization.
Therefore, good practice in crisis planning is to manage threats against three levels of seriousness, ranging from minor threats to full-blown crises.
Next, ensure you’ve got an easy-to-implement escalation protocol.
No matter how well you handle the initial emergence of an issue, occasionally the threat will grow in visibility and become a much larger problem. At these crucial moments, there must be a clear process for the team to evaluate the growing risk and alert more senior resources in your organization.
How to make that evaluation and who to contact (and with what information) is a foundation cornerstone of a crisis plan.
Third is planning for how a crisis will play out in digital and social media.
Oftentimes, organizations simply don’t react quickly enough and thus, the narrative is set by news coverage and commentary on social media.
Someone must be responsible for tracking and analyzing what is being reported and said on social media and have the expertise and tools to instantly rebut facts that are reported incorrectly. It also means having the channels and platforms to get your story to the right people and putting in place a team that is trained, experienced and confident in social media.
Fourth, prepare your team. Each member of the team should have a clear role, and alternates should be clearly identified for each of the most crucial roles.
The way the team will gather to plan a response will be identified – a well-equipped war room in HQ used to be the way, but in the age of distributed teams it is likely to be a conference call number instigated by the crisis leader.
The team should go through a drill once a year, a workshop in which they tackle a simulated crisis. And every quarter, it’s someone’s job to update that list of crisis team members!
Finally, have specific plans for the most damaging scenarios. In that moment when the worst has happened and you search in the plan for how to respond in those first few crucial hours, you want the information to be as specific as possible.
What you need in those first intense moments are details, prompts, information and resources for the scenario you are facing. Scenario planning offers a higher level of preparedness.
Many organizations today are shifting away from traditional paper crisis plans to an app-based, digital playbook – virtually fighting fire with fire. Any way you choose to prepare, be sure to have actionable protocols that: guide the team’s response to any issue; are easy to read and use; include checklists and decision-making guidelines; have crisp, clear policies for assessing quickly the level of risk; and include step-by-step escalation procedures, depending on the level of risk.
The next data breach or cybersecurity threat will happen. The only questions are when, to whom, and how fast can you respond.