We have a team process that gets triggered if a cyberattack happens and so we wouldn’t directly go out and let the press know until we figured out certainly what it was and where it came from and what we planned to do about it. We haven’t been that far yet. It all depends on what the data flow is and how severe of a problem it is.
Chief Marketing and Sales Officer, Hospitality Company
A friend of a friend of mine knows a guy who was traveling on business in Las Vegas. He went to a bar one night and had a few drinks with a friendly stranger. The next morning, he awoke to excruciating pain in his lower back, submerged in a bathtub of ice. He noticed a phone next to the tub with a note that said something to the effect of, “Call 911. Your kidney has been surgically removed.” He lived to tell the tale but has one less kidney to show for it. Be careful—there’s an underground market harvesting organs from unsuspecting business travelers and tourists.
I bet you’ve heard a similar story from a friend of a friend. But perhaps the victim in question wasn’t in Las Vegas. He might have been in Europe. Or South America. Who knew the underground market for stolen organs was so vast?
Of course, it isn’t. This urban legend started in the late 1990s and, while we can roll our eyes at its absurdity today, I remember it sending shivers down my spine (right down to my kidneys!) when I first heard of this horror. I wasn’t the only one who fell for it.
On January 30, 1997, after being inundated with phone calls from wary travelers rethinking their plans to party at Mardi Gras, the New Orleans Police Department issued the following statement:
Over the past six months the New Orleans Police Department has received numerous inquiries from corporations and organizations around the United States warning travelers about a well-organized crime ring operating in New Orleans. This information alleges that this ring steals kidneys from travelers, after they have been provided alcohol to the point of unconsciousness.
After an investigation into these allegations, the New Orleans Police Department has found them to be COMPLETELY WITHOUT MERIT AND WITHOUT FOUNDATION. The warnings that are being disseminated through the Internet are FICTITIOUS and may be in violation of criminal statutes concerning the issuance of erroneous and misleading information.1
I’m fascinated by urban legends. As a marketer, one of the hats I wear is that of storyteller. Urban legends are unique stories in that they catch fire fast. Turns out the most legendary among them share certain characteristics.
They tend to have a moral, such as, “Look out for approachable strangers offering you alcohol in a bar.” They prey on societal fears of the moment. And they usually come by way of “a friend of a friend.” In other words, tracking down the source or veracity of the information is impossible, leaving people to fill in details of the story as it spreads.
I’m struck by the similarities between a successful urban legend and a breach that makes its way to the headlines. Like urban legends, the news of a public breach tends to spread quickly. The details of a breach, such as how it happened and who was to blame, are typically slow to come, leaving individuals to fill in the gaps of the story with their own assumptions, the way “friends of friends” do for folklore tales.
Breaches and urban legends have one more thing in common: They tap into a powerful emotion—fear. Why is fear so powerful? It’s deeply rooted in our survival instinct. Fear and anger, known as “hot” emotions, are two emotions we feel intensely. Our bodies have been programmed through the millennia to respond quickly to preserve our existence when these emotional chords are triggered. In contrast, it takes us longer to feel “cool” emotions, like joy and love, since our immediate survival depends on feeling neither as intensely.2
In fact, the one notable difference between urban legends and breaches is that the latter are real. For marketers and communications professionals, regaining control of your company’s narrative, while remaining transparent and authentic throughout the process, is a daunting challenge at best. The public relations battleground is littered with more bad examples than good of companies that mis-stepped in a communications outreach following a breach.
As the ultimate stewards of brand reputation, my marketing and communications colleagues must be ready to respond—and respond quickly—when the next breach occurs.
In 2014, when Frank Blake announced he was stepping down as CEO of The Home Depot, he was leaving behind a seven-year legacy of strong business performance and compassionate leadership. Like many CEOs, Blake saw his fair share of challenges over his tenure. When he first took the reins in 2007, the looming housing crisis was just starting to smolder. In addition to stock price, morale was also on the decline thanks to a top-down managerial style that had overstayed its welcome with employees.
Blake went to work focusing on the basics. He paused on opening new stores and started opening fulfillment centers instead, moving merchandise closer to existing locations. He focused on profitability and merchandising mix. He closed unprofitable divisions and markets.
At the same time, he brought southern charm back to the giant retailer’s culture. On a typical Sunday, Blake would handwrite hundreds of personalized thank-you notes to worthy employees—a courtesy he picked up from then–Vice President George H. W. Bush, when he served as his deputy general counsel.
A few years of tenacious focus turned The Home Depot around. Under Blake’s tenure, the stock price had doubled from the time he took office in 2007 to when he announced his intent to step down in August of 2014.
So in the final months of his tenure, Blake was taking some well-deserved time off on Labor Day weekend—just 12 days after announcing his departure as CEO. Ever the workaholic, Blake was writing his handwritten thank-you notes to employees that Sunday afternoon. As he would say, “You get what you measure. You get what you celebrate.”3
The weekend celebrating wouldn’t last. The next morning, Blake got a call from his company’s general counsel. It looked as though their computer systems had been infiltrated.
While Blake didn’t have all the details yet, his company’s financial health and reputation were at risk. In his last few months on the job, Blake was staring down the barrel of a crisis that not only endangered his company but threatened to tarnish the CEO’s unblemished record as well.
We know the end of this story. The Home Depot had 56 million debit and credit cards breached. But what makes this story unique is not the hack itself but the way the company responded. Indeed, the general consensus from critics and opinion leaders alike is that we can all learn something from their example.
During a time when big-company hacks were making headlines regularly, The Home Depot stood out—in a good way. Blake didn’t run for cover. He didn’t deny responsibility. He didn’t withhold information until he had all the details. And he didn’t pass the buck to his recently named successor to let the new guy sink or swim. (And, to be clear, any of these options would have been taken by someone with a weaker constitution.)
Instead, Blake did the most unnatural thing of all. He reported the breach publicly before his company even knew definitively what was happening. He apologized for the incident before fully understanding who was to blame. He let all customers know that his company would be responsible for any fraudulent charges and offered free credit monitoring before knowing the full extent of the damage.
While the company wasn’t spared from a class-action lawsuit, it avoided the full wrath of potential punitive damages, largely because of how Blake and the executive team rallied. As the judge explained as part of his decision:
The real villains in the piece were the computer hackers who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.4
In the end, while other companies that suffered major breaches of the time were derided in the court of public opinion for executing their communications strategies so ineptly, The Home Depot was lauded for its integrity.
What of Blake’s sterling legacy? Incredibly, the hack may have helped polish it even more. After all, how often is it that a company is publicly praised after a breach?
And the hackers didn’t manage to steal The Home Depot’s reputation either. In the company’s “voice of the customer” surveys, the net percentage of customers who would strongly recommend The Home Depot to others increased 44 percent under Blake.5
The Home Depot avoided being the punchline of their breach. They controlled their message, leaving little chance for “friends of friends” to fill in the details for them. They traded on empowerment, instead of fear. Years later, we’re still admiring how not to let a crisis go to waste.
While The Home Depot may be legendary in the way it executed its response, it certainly isn’t unique in suffering a breach in the first place. Since the time you started reading this chapter, more than 30,000 data records have been lost or stolen globally. That’s according to the Breach Level Index, which reports 72 records are compromised each second.
Time is never on the side of a responder, no matter the crisis. But in a breach, time works against your company in two ways. First, there’s the time required to discover the breach, what’s known as “dwell time” in the industry. Per Ponemon, the average dwell time was 197 days in 2018,6 more than six months of cybercriminals rummaging through a breached company’s systems before being detected. (Once identified, it takes companies, on average, an additional 69 days to contain the breach.7 )
Then, there’s the time required to notify constituents of the breach. Companies typically struggle on this front as well, since the forensic details of a cyberattack rarely come easy. The International Association of Privacy Professionals conducted a study for 18 months of cybersecurity incidents from 2016–2017. They found the average time from discovery of a breach to its notification to be 29 days.8 As a comparison, the GDPR requires notification in 72 hours.
The bar is undoubtedly high. But if we as storytellers have learned but one thing over a career of experience and training, it’s this: Luck favors the prepared.
There are scores of valuable research studies on effective crisis communications, compiled over decades. Distilling it down, effective companies take two common approaches.9 It’s as though Blake and his team enacted the playbook that scholars have researched for decades:
While cybersecurity attacks are a relatively new phenomenon for communications experts, crises are not. We can apply the wisdom from this canon of research to our own blueprint for action.
If luck favors the prepared, you need a plan well before the breach. Time isn’t on your side otherwise. When precious minutes are ticking by, the last thing you want is for your executive team to be ruled by their own hot emotions of fear or anger that can cloud rational thinking.
Build a multifaceted communications plan with explicit executive buy-in. Think like a CISO in this exercise. CISOs must provide the board with a view of asset risk. All assets are not created equal in this exercise. You’ll need to do the same as it pertains to what your company should do, depending on the type and severity of attack. Not all attacks are created equal.
Work with your CISO to identify popular threats your company faces, things like web defacement, ransomware, data breach of customer records, data breach of employee records, and the like. From there, be very prescriptive about your notification principles in each case.
Have your CEO and the executive leadership team participate in this exercise and agree to the guiding principles that govern how, when, and what you communicate based on the severity of the attack.
This exercise will take weeks, if not months, to complete sufficiently. Since chances are your company is already under attack and just doesn’t know it yet, formalizing a consensus-built plan is your first priority.
Create the communications templates for each scenario identified in your plan. Team up with Legal to frame each message. Write emails, web copy, blogs, telephone scripts, press releases, media statements, and other assets, leaving placeholders for details that you’ll fill in when the attack occurs. Stage websites (internal and external) that can go live quickly to communicate details of the breach when it occurs.
Messages must strike the right balance of instruction and tone. When a crisis happens, customers want to know that your company has their best interests in mind and the situation under control. Unfortunately, breaches are rarely so cooperative in giving your company flexibility on both points.
In the way of demonstrating your company is in control of the situation, stick to the following blueprint for your templates:
Even if your company does not yet have all the information, being early and accurate in communicating the details you do have allows you to steal thunder.
Next, in the way of tone, show empathy in these messages while protecting your legal interests—a key reason to get Legal involved early in the exercise. On that point, have Legal review all templated messages so, when the breach occurs, you’re that much closer to securing final approval once you’ve inserted any remaining details.
We’ve discussed the importance of empathy. This tried-and-true crisis communications tenet proves true in the world of data breaches. Ponemon surveyed consumers who terminated their relationships with a company following a data breach in 2014. When asked what these companies could have done to preserve the relationship, more consumers wanted a sincere apology (43 percent) than wanted free identify theft and credit monitoring services (41 percent).14
Match your language to the tone. Empathy doesn’t lend itself to technical jargon or legalese. Consumers can spot a fake apology a mile away. Another Ponemon study in 2012 found approximately one-third of consumers complaining about the length or legalese in the post-breach communications they received.15
Design the tick-tock schedule for every attack scenario. Cybersecurity’s currency is time. Design your plans accordingly. Have minute-by-minute schedules for each attack vector. You likely won’t have all the information in the early minutes of finding out your company has been breached.
Lucky for you, your communications plan will guide you on what your executive team is comfortable releasing, and when. Because you will have built this plan while not under the duress of the clock, you can be more persuasive in submitting evidence that shows early-and-often communication pays (remember The Home Depot as a sterling example)—even when not all facts are readily available.
Your tick-tock schedule should identify who is responsible for distributing messages and/or assets to key stakeholders at every phase of the plan. More than 60 percent of consumers say that their satisfaction with a breached company’s response would greatly improve if the organization notified them immediately.16
Be sure your plan includes employees, whether employee records are breached or not. During crises, employees (perhaps even more so than customers) need reassurance that their employer is in control. Employees are the best brand ambassadors for a company. If you keep them in the dark on the details of the situation, they can’t help you spread your message, leaving you once again a potential victim to the “friend-of-a-friend” grapevine. Actively engage your employees to enlist their support and calm any anxieties. In terms of tactics, consider going beyond email and intranet updates. Have at least one town hall meeting to explain the situation. Additionally, open a conference hotline each day for a scheduled period (say, 30 minutes), where you can update interested employees on the latest and answer any questions.
Practice, practice, practice. CISOs run red-teaming exercises, where they simulate attacks on their organization to identify vulnerabilities and shore up defenses. In the same way, CMOs should practice crisis drills to test their team’s effectiveness in responding according to plan. Crisis management experts recommend doing so at least once a year to build the muscle memory of your organization.
As part of the practice drills, simulate media interviews with your designated company spokespeople. You will need multiple spokespeople trained and ready to engage the media when a breach happens. Ensure they are prepared with the talking points and answers to the tough questions to retain control of the message. In this case, practice makes nearly perfect.
Run your overall crisis plan and the results of your drill by the executive team to confirm nothing has changed in your guiding principles for communication. Take time to review what other companies have done in the timeframe from your last exercise to learn best practices and adapt your own plan in the process continuously.
* * *
Maya Angelou once said, “I’ve learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel.” The reason we’re still talking about Frank Blake’s enduring legacy in cybersecurity is because his swift actions and accommodating response left all of us (victims or not) feeling better that companies still do the right thing. What Blake revealed through his actions is that his company cared about its customers. And that feeling prevailed long after Blake resigned his post as CEO.
When a breach happens, luck favors the prepared. Your company won’t be able to prevent all breaches. Determined cybercriminals only need to score once. When they do, the marketing and communications teams will need to strike back quickly with a coordinated, choreographed communications plan that engages all relevant stakeholders with clear instructions and sincere empathy. Your customers and employees will measure your company based on its response. When the smoke clears, they may not recall everything you said or did, but they’ll certainly remember how you made them feel.
My marketing and communications comrades, you stand between hackers and your brand’s reputation. Lucky for you, there’s plenty of preparing you can do to be ready.