Top 10 cyber crisis PR failures
- Saying too much too soon
- Saying too little too late
- Stepping in it on social media
- The tone-deaf CEO
- Forcing affected individuals to waive their rights to sue
- Overpromising and failing to deliver
- The appearance—or actuality—of insider trading prior to incident announcement
- Careless internal communication without legal privilege
- Minimizing the impact
- Allowing vendors to speak for your organization
There are no do-overs in a crisis, and the best prevention is preparation. One audience member noted: You can handle 90% of what hits you when using appropriate incident response processes.
Very true, which is why employee education and preparation is so critical. We should take abroad view of cyber safety awareness, from tips on how to create a useful password and identifying phishing emails to adherence to media policies. It’s also important to take care in how you communicate electronically in an incident—it’s likely you don’t know the full details and propagating inaccurate information can lead to confusion. As Tanya said, “Don’t put anything in writing that you wouldn’t want in Times Square.”
Ultimately, internal coordination is key to any incident response. Another audience member emphasized the importance of having a process for escalating a cyber incident internally so the right internal players are at the table from the outset—including communications and legal leaders. Small organizations and large corporations alike are forced to handle cyber incidents in the current environment.
Those that handle the response without committing major PR #Fails will avoid the harsh public spotlight, maintain control of their narrative, and sometimes even get credit for a well-run response.