How does the Recovery function benefit the affected organization if they do it well?
According to publicly available data, a company can lose 6.5% of its customer base in the weeks and months following a public data breach, which is enough to say that the loss was due to the breach confidently. Customers will stop coming to you for all kinds of reasons. You regularly have to replace them, but losing 6.5% of your customer base very quickly after an incident like that can be incredibly expensive to recover from as you’re losing revenue and spending more money to acquire new customers. You’ll have even more expenses doing things like managing the data breach, communicating with your customers, digital forensics, hiring lawyers, and answering inquiries from state lawmakers and possibly federal regulators.
But if you lean into this risk and do a good job at it, you can enhance customer trust on the backside of a data breach. The best way to build the customers’ trust can be done through transparent handling of the crisis. Adobe, a software company that produces Photoshop and a lot of other creative software, had a data breach. Something they did well was quickly notify their customers of the breach then sent out a series of password reset emails to let people know that there was a problem, and to give them something that they could do to protect themselves. And even though the media didn’t fail to report on this, Adobe is far from my mind whenever I think about data breaches. Adobe was ready, and when the time came, they did a masterful job at responding and recovering. Their success had much more to do with people, processes, and management than it did with technology. Home Depot responded and recovered beautifully as well; they notified their customers as soon as they had even suspected that they had a data breach. It’s not the crime that gets you; it’s the cover-up in this case.
Transparency wins when it comes to data breaches; it doesn’t have to be a badge of shame. Security experts say that there are only two types of companies in the world, those who have been breached, and those who don’t yet know that they have been breached. So, you need to have a plan for when this does eventually happen. Practice your plan about every six months with the most important people who are going to execute that plan and do a table-top exercise to practice procedures and your PR. There are many things to do, but keep in mind that managing your public relations is just as important as any other part of your response.
Thank you for reading, and I’ll see you next time.