How to Handle Crisis Communications After Your Company Has Been Hacked

"Hack" by Randall Munroe

"Hack" by Randall Munroe

So, your company has been hacked? Breached? Pwnd? Whether through sloppy security habits (unencrypted data, poor passwords, unnecessary access, unlocked devices) or compromised digital systems (zero-day exploits, brute force attacks, input of malicious code), the process for publicly dealing with the attack is relatively simple at a basic level. Here are some general principles:

1) Immediately announce the hack happened and explain who it affected.

This might seem obvious, yet there are many examples of companies that have known (or should have known) their systems had been compromised and said nothing. In 2007, it took Sony a full week before admitting a successful external intrusion took place, and recently, Target first sent out a vague email to thousands of customers without giving many specifics. Waiting until a third-party notices a security flaw and publishes sensitive information to the public, like what happened with AT&T a few years ago, and more recently with Snapchat, is far more embarrassing from a PR standpoint than you being the one who reveals and details the damage first.

2) Apologize to your customers and users.

As we noted before: Don’t be like Snapchat. Even if a breach isn’t due to your own lax security policies or unnoticed, outdated software, apologizing to the people whose data and personal information has been compromised is of paramount importance.

Instead of Snapchat, be like Kickstarter: Last month, the company sent an email to users and posted on its blog an important security notice which noted that a breach had occurred, offered steps for creating a more secure password, and apologized in a sincere manner. That’s how communications should be handled following a hack. (And while it’s obviously not the ideal way to grow, a professional, thorough response in this scenario can often even bring in new users.)

3) Show how you’ve fixed the issue -- and brief reporters who specialize in security.

Only a handful of outlets, such as Dark Reading and Krebs on Security, will cover the technical details of the fix, but publications like these can help provide reassuring context that will be cited by larger outlets with a wider audience. Related to this, it’s best to avoid having an executive not well versed in security discuss the breach in detail with the press -- that should be handled by a CTO-level exec with deep knowledge of the cyber attack. And while a private security firm is often brought in to change a company's internal policies and research the intrusion, they're usually not the most appropriate candidate to represent your brand. In those cases, public communication is best handled with a well-vetted press release or blog post on the company’s website.

Hacks will keep happening, and not all of them can be prevented, or even planned for. And as the Internet of Things expands the range of devices which can be hacked, intrusions will probably increase. However, what you can plan for now is how to address the public in the wake of a hack, and be prepared to regain its trust. The very fact that hacks are becoming so commonplace means Internet users are likely to be more forgiving -- but only if you're ready to respond the right way.

Image via xkcd.