The TalkTalk saga grinds on. It’s abundantly clear that their security was inadequate. Even their CEO admits it, although she’s determinedly clinging on to her job – presumably some poor sucker in IT will eventually carry the can. After all, that’s what happened at Target.
What’s interesting is not so much that they were hacked, or that – embarrassingly – it appears to have been perpetrated by children. It’s that their communications management has been so poor. They’ve completely failed to take control of the news agenda, and their recent attempts to downplay the severity of the breach are likely to have the opposite effect. Not only does this approach make them look as though they’re demeaning the customers whose confidentiality they’ve failed to protect, it also highlights how little they appear to know about their own systems. It’s revealing that apparently TalkTalk don’t consider their website – the main point of interaction with most of their customers – a ‘core system‘.
The point, after all, isn’t that fewer bank details were compromised than was originally thought, or that it’s not an act of cyber-terrorism by Jihadis; it’s that TalkTalk failed to take some basic precautions, and that when that failure lead – inevitably – to a breach, they had no systems in place to determine the scale or severity of the breach, and no communications plan.
Given the frequency of reported data breaches – and of undetected, unreported breaches – you’d think that TalkTalk would at least have discussed what they’d do and say if it happened to them. Sadly, too many UK businesses continue with the head-in-the-sand approach and assume that lightning will always strike somewhere else.
Forget breaches for a minute. Standard practice in business continuity planning is to develop a formal communications plan as part of the overall continuity strategy. This sets out responsibilities for keeping different stakeholders informed and identifies how information will be gathered and verified before release. It’s an essential tool in mitigating the impact of the disaster – whatever it may be – on the company’s reputation.
Nature – and humanity – abhors a vacuum. Given the chance, we fill it with the worst things we can imagine. Unless you provide timely and accurate information you risk having rumour and hysteria overwhelm truth. If you have a proper crisis communications plan, you stand a much better chance of controlling the news agenda, reassuring your customers and reducing the volume of speculation.
There are PR agencies that specialise in crisis mitigation, just like there are security firms that specialise in post-breach forensics and clean-up. It should be obvious that if you only call them in after the disaster has happened, you’ve already cocked things up. Baroness Harding telling us that the first thing she did when she learned of the breach was to call in BAE does not reassure. It begs the question.
So, if you don’t want to end up dancing on the same hot coals as Dido Harding, do four things today:
- Put cyber-security on your permanent board agenda
- Appoint a Chief Information Security Officer (CISO)
- Commission a security review, and act on its findings
- Develop a crisis communications plan, and train your staff on it