Preparedness is Key in Managing Crises
By: Ken Urish
January 15, 2016 – Not if, but when. That is the approach companies should take toward breach response planning in our current cyber security environment. Risk managers must prepare as though a breach or data security crisis will occur in their company. Looking at past breaches of companies big and small provides perspective on the actions that have worked best for such organizations. There are steps that can be taken that will mitigate damage and manage reputational issues.
Before delving into what companies should be doing, it’s important to stress what doesn’t work, and what companies should not be doing. Making the wrong moves, even early, can diminish trust from stakeholders and customers and set in motion further, possibly irreparable mistakes.
One of the worst consequences of being unprepared is a lack of certainty about how to handle situations, and firms that aren’t prepared often shoot themselves in the foot through inaction. Part of that inaction is a hesitancy or delay in declaring the issue to stakeholders, clients, customers, etc. But a delay can cause distrust in those people that weren’t informed in a timely manner.
Further inaction can cause issues to compound, which makes the situation even more difficult to deal with and to recover from. When any declaration or announcement is made regarding the situation, it should come from an informed place. Misrepresenting the facts or providing false information will only complicate issues further. Additionally, don’t make assumptions about what 3rd parties are or aren’t doing to ameliorate the issue. Take the information you have and do the right things.
A well prepared company will be focused on business continuity, key stakeholders, and data management. In order to keep things moving in the midst of crisis, it’s important that you maintain stakeholders’ trust during this time. That is why preparedness is such an issue. You should be fostering and developing relationships with your stakeholders, so that trust is already present. Even if the trust is there, don’t lose sight of the human element. The stakeholders are people, and their feelings are important to listen to and to consider. Making fast, critical decisions will also instill trust in your abilities and keep things moving.
Very importantly, a lot of data related to your business and any that was directly involved in whatever caused the incident will need to be collected and reviewed by legislators, regulators, lawyers. Having the necessary data in place keeps the process moving and maintains a level of transparency for everyone involved. It also avoids negative legal and regulatory consequences. Obviously, to have the data readily available, means having a plan in place to track and monitor important data.
As you can see, preparation is the biggest part of what to do versus what not to do. A company that is prepared to deal with a crisis is already ahead of the game and many missteps that would normally occur are naturally eliminated during a thorough planning process.
To read more about Ken Urish, click here.