Making the Most of a Security Breach

As they say, what doesn’t kill you makes you stronger. Even though a security breach can now actually kill your company, cyber-savvy marketers can turn exploits into opportunities that elevate brand trust and strengthen your company’s security posture.

Seems counterintuitive – after all, shouldn’t we just try to avoid cyberattacks altogether? That would be great, but this expectation is now old school. Back in the day, and not so long ago, executive leadership teams expected IT technicians to defend what many thought to be impenetrable perimeters around corporate data centers. However, after Covid and with the advent of hyperscale cloud computing, sensitive data and mission-critical workloads now spin up, down, inside and out of corporations, governments, and supply chains around the world.

The resulting onslaught of threats and vulnerabilities across these expanding attack surfaces leaves us with a new imperative to focus on prioritized risk management versus the now impractical philosophy of eliminating risk. This means focusing on the highest risks, unique to your organization, through a continuous process of assessment, testing, remediation, and reporting, and by always aligning security metrics to business objectives.

As marketers, we need to start working more with security leaders to better understand risk management strategy, which will inform our ability to better communicate enterprise cyber posture. This readies our teams to not only prepare for and respond to the inevitable breach, but to use each opportunity to elevate brand trust and emerge with a stronger reputation than ever before.

Turn Negative into Positive

This approach was crash-tested and proven out with the Equifax experience. One of the largest identify thefts in history, Equifax turned around a mega breach in 2017 to become a thriving consumer credit reporting powerhouse with security integrity branded into the very fiber of its existence.

Using proactive and transparent communications (that were far outside traditional comfort zones at the time), Equifax’s marketing and security teams worked together through a complete IT and communications overhaul. They publicized every step of the painful process, and set new industry standards for security monitoring and remediation along the way. To this day, the Equifax annual security report serves to confirm the company as a leader who learned from its past, and established a far more sustainable market position had they chosen a less transparent path.

The report proudly proclaims:

“Security shouldn’t be a trade secret. We believe that more communication, more collaboration, and more transparency equal stronger security. That’s why our team developed this report, and it’s why we actively engage with customers, policymakers, and other organizations regarding the challenges and opportunities in cybersecurity.”

With the Equifax example and a growing knowledge base of collective experience, we’ve learned a lot over the last few years. The responsibility is falling on marketers to make, break or raise our companies’ reputations based on how we handle breach-response in the future. Like it or not, we may have no choice but to move in this direction given the Security & Exchange Commission’s proposed ruling to disclose any breach that may have a material impact on a company’s stock price within four days. This new risk of non-compliance stands to impact marketing and investor relations of both public and private companies on the order of what Enron and the Sarbanes-Oxley Act did to financial reporting and corporate comms 20 years ago.

Clearly, a poor response can be more detrimental than the crisis itself – just recently and for the first time, a C-level officer was convicted of federal charges of obstructing justice in relation to a security breach. Former Uber Chief Security Officer Joe Sullivan was found guilty of authorizing payments to hackers and hiding the fact from the Federal Trade Commission. Getting ahead of a breach with public disclosure of security policies and assurance is key.

Marketing Technology News: How Franchise Businesses Can Scale Search Marketing

Here are the top strategies to keep in mind:

1. Pre-Breach

• First, get ahead of the next breach with public disclosure of security policies and certifications. This shows your commitment to security, and gives you a leg up when stakeholders demand transparency during and after a breach.
• AWS is a leader in showcasing security posture. The company provides an up-to-date and comprehensive summary of their compliance program and policy credentials in what many are now referring to as “trust centers” on their websites (https://aws.amazon.com/compliance/programs/)
• More and more, organizations are promoting new certifications and cyber milestones through social media. Veracode, for example, actively promoted their FedRAMP Authority to Operate on LinkedIn with a video describing how this assurance “seal of approval” benefits customers.

2. Breach

• Whether or not the SEC’s new breach disclosure requirements become law, there are forces at work that will make quick response and communications inevitable with future incidents. When an incident does occur, make it a rule: don’t rush to conclusions. Decide on a small group of trusted experts on the inside and have third-party supporters at the ready. Bring them together the instant the incident occurs, and keep your cool.
• Be proactive in pushing information that stakeholders need to know on an always-updated “evergreen” public site. Cisco recently shared information on a breach they experienced: https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html. Be sure to include an executive summary, technical details, and regular updates.

3. Post-Breach

• As the storm wanes, and as appropriate fixes and guidance have been deployed, continue communicating updates to security posture.
• Stress ongoing commitment, governance policies, and cyber investment. Setting a good example, Equifax always includes benchmarks, formal certifications, and third-party testimonies and attestations.
• Don’t shy away from highlighting technical threat and vulnerability management processes, as well as offensive operations where adversarial scenarios and penetration testing are conducted.

Prioritized Risk Management

Every organization is unique in what it can and what it cannot control. These key elements are defined in a risk registry comprising cyber profile, threat landscape, and overall risk appetite. In layman’s terms, this means that corporate communication needs to account for and demonstrate the types of attackers and exploits you expect, the capabilities you have to counter those threats, the chances you’re willing to take, and your decision-making process in prioritizing risks vs eliminating them.

With rising threat levels, what doesn’t kill us really can make us stronger. This maxim compels all communications professionals to take advantage of new opportunities that can ultimately benefit our companies in the wake of cybercrime.

Marketing Technology News: How Franchise Businesses Can Scale Search Marketing