Poor communication during a data breach can cost you — here’s how to avoid it

Originally posted on IBM Think in December 2023.

No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was USD 4.35 million, with 83% of organizations experiencing one or more security incidents.

But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into that cost. While no one has mapped out the exact cost of poor communication — or the cost mitigation of good communication — the fact remains that how you communicate affects your costs, recovery time, and reputation.

We’ve heard it stated this way:

A precise technical plan can make sure you have a network that runs once a breach is remediated. A precise communication plan can make sure you still have a business to run when you’re back online.

Having an airtight response that spans the whole organization — technical and business — can be a significant cost mitigator during a breach.

Why a standard crisis communication plan won’t work

Organizations are beginning to understand the cost of poor communication during a breach — through vicarious learning — largely by watching how other companies communicate (both good and bad). And what’s even more important to watch is how customers, public and the media respond. But even with some stark examples of mishaps and their accompanying consequences, many companies still don’t have a communication plan in place.

Worse, some organizations think they’re prepared for a cyber crisis because they already have a disaster communication plan in place — and that there is no need for a cyber-specific communication strategy. Usually, those plans are geared toward responding to a flood, earthquake or other acts of nature.

Those are totally different beasts than a cyber crisis and can gently lead organizations into a false sense of security (no pun intended) about their communication abilities. And admittedly — hearing that response sends shivers down our spines. Different types of crises require different response plans.

Here’s why.

During a cyberattack, your organization’s usual modes of communication may be down. Or worse, they may be compromised. That means threat actors could have access to your email, Slack or other communication methods — in which case, they’ll know the moment you spot them, what you’re doing to respond, and use that to stay one step ahead.

More importantly, there are some critical differences in what you communicate, when, and to whom during a cyber incident. Your internal stakeholders are different during a cyber incident and often include teams that don’t normally rely on one another. As a rule, few of these points are covered in a standard disaster communication strategy. That means when a cyber incident occurs, you’ll be left scrambling to figure out who needs to know what and when — and because many industries and geographies have timely reporting requirements, you could also face stiff fines and penalties.

There’s an old communication adage that reminds us that whoever delivers the news first, owns the message. A cyber crisis is a situation in which you want to own the message, and not end up in reactive mode, trying to manage speculation from customers or circulating in the news and social media.

No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was USD 4.35 million, with 83% of organizations experiencing one or more security incidents.

But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into that cost. While no one has mapped out the exact cost of poor communication — or the cost mitigation of good communication — the fact remains that how you communicate affects your costs, recovery time, and reputation.

We’ve heard it stated this way:

A precise technical plan can make sure you have a network that runs once a breach is remediated. A precise communication plan can make sure you still have a business to run when you’re back online.

Having an airtight response that spans the whole organization — technical and business — can be a significant cost mitigator during a breach.

Why a standard crisis communication plan won’t work

Organizations are beginning to understand the cost of poor communication during a breach — through vicarious learning — largely by watching how other companies communicate (both good and bad). And what’s even more important to watch is how customers, public and the media respond. But even with some stark examples of mishaps and their accompanying consequences, many companies still don’t have a communication plan in place.

Worse, some organizations think they’re prepared for a cyber crisis because they already have a disaster communication plan in place — and that there is no need for a cyber-specific communication strategy. Usually, those plans are geared toward responding to a flood, earthquake or other acts of nature.

Those are totally different beasts than a cyber crisis and can gently lead organizations into a false sense of security (no pun intended) about their communication abilities. And admittedly — hearing that response sends shivers down our spines. Different types of crises require different response plans.

Here’s why.

During a cyberattack, your organization’s usual modes of communication may be down. Or worse, they may be compromised. That means threat actors could have access to your email, Slack or other communication methods — in which case, they’ll know the moment you spot them, what you’re doing to respond, and use that to stay one step ahead.

More importantly, there are some critical differences in what you communicate, when, and to whom during a cyber incident. Your internal stakeholders are different during a cyber incident and often include teams that don’t normally rely on one another. As a rule, few of these points are covered in a standard disaster communication strategy. That means when a cyber incident occurs, you’ll be left scrambling to figure out who needs to know what and when — and because many industries and geographies have timely reporting requirements, you could also face stiff fines and penalties.

There’s an old communication adage that reminds us that whoever delivers the news first, owns the message. A cyber crisis is a situation in which you want to own the message, and not end up in reactive mode, trying to manage speculation from customers or circulating in the news and social media.