Breaking the Silence
The Sensitive Task of Talking About Cyber Attacks and Network Security Breaches
Companies fear talking about a breach of their computer network almost as much as the breach itself. It’s a publicity headache that can make them appear vulnerable or negligent.
But silence is not always the best policy. A spate of recent network breaches shows that companies have a responsibility to tell customers, business partners or investors that sensitive information may have been gleaned as a result of a cyber breach. At that point, companies face a delicate communications task to avoid losing customers, forestall appearances of lax security and governance and maintain business as usual as they try to figure out what happened and how to prevent it in the future.
Moreover, the stakes are higher today as cybercrime has grown more sophisticated in scale and intention. Identity theft is only one objective of cybercrime. Corporate espionage is another. Cyber criminals pilfer intellectual property, pricing data and other competitive information stored on corporate networks. A 2013 Mandiant report on China, for example, found that many attacks of Chinese origin were attempts to steal “intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists.”1
The issue is causing restlessness in boardrooms. A survey by Corporate Board Member and FTI Consulting found that over half of general counsels and nearly as many directors cited data security as their top legal concern.2 Those figures nearly double the results from a 2008 survey.
An effective response requires quick action to determine how and when to disclose breaches, how to inform customers and employees, partners and regulators and what information they need to know. Careful sequencing of disclosures and the completeness of disclosures determine how much companies can maintain the confidence and support of stakeholders as they figure out what went wrong, how extensive the damage is are and how best to cauterize the wound.