What is a Security or Privacy Incident? Hiccups, F*ck Ups, and Give Ups
One of the most common reasons organizations struggle with incident response communications is that their definition of an “incident” excludes most incidents. Too often incident response planning and execution only considers situations with legal disclosure obligations. It’s one reason why so many companies stumble with their public response, even if their technical response was exceptional.
A proactive communications approach not only nurtures relationships you need to have before serious incidents occur, it also sharpens your thinking and helps prepare you for incidents down the road. While regularly scheduled tabletop exercises are helpful in identifying weaknesses in process and procedure, it’s the constant engagement in everyday incidents that refine individual and team decision-making, exemplify your true principles, and establish context for the next incident.
It’s rarely the major breaches that cause long-term impact on a brand’s reputation, especially compared to other kinds of potentially negative events for a company. The greatest damage is caused by the sleeping giants that don’t receive communications attention until it’s too late. High-frequency incidents have a greater potential to create a snowball effect in regards to public perception. Additionally, your public response to a seemingly simple issue is critiqued more than the original cause.
Below, I’ve included a short summary of a few non-breach incidents where ongoing and proactive communications can help avoid or minimize damaging impact — or even create positive opportunities. The most effective security and privacy communications strategies cover all of this and more.
Hiccups
These are frequent, typically low-risk moments depending on failsafe and defense mechanisms, but if the technical or communications response is mismanaged, the situation can easily escalate to the level of a f*uck up. On the other hand, if managed well, they can create proactive and positive opportunities to demonstrate transparency and engage in community knowledge exchange.
Outages: including rumors of an outage 😑; Keep communications informed of any outages. I recommend adding them to production engineering’s alert distribution list.
Persistent Threats: Being in the loop on botnets, phishing campaigns, credential stuffing, etc. enables you to answer stakeholder questions on the spot, identify underlying industry context, and engage with external partners to help mitigate quickly and effectively.
Routine Governance: Privacy Impact Assessments (PIA), Product Review Documents (PRD), Internal Audit (IA), 3rd party audits, and M&A security assessments are all helpful in catching areas of concern before they cause an incident. The earlier in the process you can assert influence, the less effort it requires. You need this muscle memory for good proactive communications.
F*ck Ups
Warranted or not, these incidents are perceived as both avoidable and the result of incompetence. You will probably apologize whether you’re at fault or not because it’s the right thing to do. A good outcome is protecting public trust in your ability to blow your nose unsupervised and sharing lessons learned to help others avoid similar mistakes.
Technical: Bad product designs, broken configurations, security vulnerabilities (including vendor bugs you haven’t patched yet), etc. These all reflect poorly on engineering capabilities and organizational leadership.
Customer Support: One time, I provided documentation to the head of Risk showing that the most frequent questions I received from journalists globally across all related security and privacy topics were about unauthorized service charges showing up on credit cards stolen from other service providers. Although the actual volume of fraud was at an all-time low, the poor quality response given to customers when they called for assistance caused a high percentage of these individuals to seek resolution from local TV news stations, which led to a growing misperception that we had a serious problem preventing fraud. Together, the head of Risk and I approached the head of Customer Service with some ideas — and resources to support them.
Public Statements & Representations: Conference talks, blog posts, social media, press interviews, patent applications, etc. If someone is on your payroll, whatever inaccurate or idiotic thing they just said will be attributed to the organization and it’s now your problem.
Give Ups
This category of incidents results from intentional business decisions. It typically requires significant political capital and strategic influence to nudge the business on these issues, which is why ongoing proactive engagement is a way of life for effective communication advisors.
Data Practices: Over-collection, surveillance, opaque third-party data-sharing, a lack of effective consumer choice or controls, burdensome processes for exercising data rights, etc. erode customer trust faster than any other types of incident I’ve seen — and it can take years to repair the damage. Communications advisors must ensure ignorance, arrogance, and inexperience are snuffed out of the decision-making process.
Culture & Policies:
Assholes are never worth it.
Don’t let leadership off the hook with performative allyship.
Growth at all costs will cost you everything.
Business Priorities: Business strategies and market environments can change quickly, and if your communications advisor isn’t clued in on future plans, they will have a hard time providing proper guidance on external engagements and internal operations. Retracted commitments and missed deadlines are good indicators that an organization’s right hand isn’t aware of what the left hand is promising. It’s even worse when one of those hands is also the mouth. 💥