Under Armour’s response to a cyber attack achieved the seemingly impossible: Rather than fueling outrage, it actually drew praise. Brunswick’s Siobhan Gorman reports.
In late March last year, Under Armour learned that its MyFitnessPal app, which tracks diet and exercise, had a data breach that affected 150 million users. It’s not uncommon for companies to take several weeks—or even months—to publicly announce a cyber attack of that scale.
Under Armour did so in four days.
Tokë Vandervoort on What Made The Difference
External relationships are how we found out about the breach, and they’re how we knew which advisers and expertise to bring on board right away. We had those in place and had put a lot of effort into maintaining them and keeping them up to date. Internally, the trust we’d built allowed us to move as quickly as we did. Both paid huge dividends.
I don’t know anybody whose incident response team meets every other week, but ours does. Sometimes we’re just shooting the breeze, but other times we’re asking: “What’s going on in the business? What are you hearing? What’s happening?” We enjoy a great relationship with the product team, the engineering team, the IT security team, the IT team ... It’s not just sharing information, but also getting to know one another, which ties back to the importance of relationships—knowing what’s going on and who to call.
We do a table top every year for a data incident. I’ve heard people say table tops are too expensive—we make up our own. Security and privacy get together and create a two- or three-hour game. One year it’ll be a supply chain issue, another year it’ll be a data event.
We invite decision-makers from across the organization so that people then have a sense of what it feels like to make decisions without full information and to have to do so under a lot of pressure.
People appreciate not just how hard these decisions are, but they know who the other people are, and the issues that they’re confronted with. The companies that have the most confident response are the ones where everybody knows their roles—not some giant team of people who have never worked together. When you have complete clarity of purpose, focus and leadership, you can get anything done.
Siobhan Gorman Partner, Washington, D.C.
Siobhan Gorman concentrates on crisis, cybersecurity, public affairs, and media relations.