You’ll need to update your browser so you can continue to log on to your online banking from 28th February. Update now.

Close

Article

The good oil on giving bad news

The good oil on giving bad news

An effective public response to a cyber security incident is critical to preserving – and potentially even enhancing – trust in an organisation’s brand.

In February, Australia joined several other countries in having legislation that requires companies to report to regulators and affected stakeholders any data breach that poses a risk of serious harm to Australians.

Experience overseas shows that affected organisations are judged as much on the effectiveness of their response as on the severity of the event.

Building on our own experiences and analysis of public responses, we’ve outlined six key principles of a strong response to a cyber security incident.

Accept responsibility

Empathy: The guiding principle for any response must be to understand the harm caused for your customers or staff and to respond with empathy and caring.

Accountability: Under public pressure, the temptation to point the finger at others is strong. However, the shortest path for an organisation to restore trust following an incident is to accept full responsibility.

Responsiveness: This is broader than notification and public disclosure. Responsiveness must reflect a general sense of urgency to minimise customer harm.

Accuracy: Avoid the temptation to speculate about impact, scope or root cause before all facts are known. Our analysis suggests the best course of action when public disclosure is deemed necessary is to focus on customer concerns in any initial statement, along with a commitment to issuing regular updates as facts are verified.

Rebuild trust

Transparency: Statements that are vague, seek to obscure or use legalese will only exacerbate the problem. Transparency is preferable.

Competence: Once an incident is disclosed and publicly known, media stories provide an opportunity to rebuild trust by demonstrating your competence. Consider making your Chief Information Security Officer or other subject matter experts available for comment to reflect security expertise in media coverage.

The latest issue of Signals studies the impact of public responses to data breaches by six organisations, including Anthem Healthcare, Equifax, Hilton Hotels, Home Depot, Hyatt Hotels and Target.

*This is an excerpt from an article that was originally published in Signals, our quarterly summary of the cyber security landscape.

Things you should know: As this information has been prepared without considering your objectives, financial situation or needs, you should, before acting on this information, consider its appropriateness to your circumstances.