Cybersecurity Breaches: A Guide for Sales, Marketing and Communications Executives

You’ve just received the email from your organization’s IT or security leader: A cyberattack has exposed tens of thousands of customer records. What happens now? Does your organization have a cybersecurity incident response in place? Is your role as a sales, marketing or communications executive clear in this scenario? Is this breach really a big deal? My colleague Julie Ogilvie has written extensively on the topic of crisis communications (see the Core Strategy Report “B-to-B Crisis Preparation”); in this post I’ll focus specifically on cybersecurity breaches.

B-to-b organizations often believe they’re not at risk – or that the impact of a cybersecurity breach will be minimal because of the organization’s size or the markets they address. After all, they reason that only customers’ business information (e.g. work email address, phone number, company IP address) is in their databases, and there’s no personally identifiable information (PII), like financial or health data. However, with the rise of more stringent privacy and security regulations around the world, such as the EU’s General Data Protection Regulation (GDPR), this is no longer a tenable position.

The first lesson of cybersecurity is that thwarting every type of attack is impossible. Instead, organizations must plan for the attacks that are most likely and that will do the most damage. Every organization should have an incident response plan for cybersecurity breaches. However, the existence and content of such plans are not often socialized around the organization. The plan may have been created long ago and/or has never been tested. Frequently, the plan may outline responsibilities of sales, marketing and communications executives that they may not be aware of. Whether you are in sales, marketing or communications, make sure you are part of the response team.

Communications executives are responsible for communicating the particulars of a breach to the public and the media, as well as crafting messages for customers, partners and employees on the nature of the breach; what data was compromised; how much information was accessed; and what will be done to prevent a future similar attack. As we’ve learned from well-publicized cybersecurity attacks, transparency and timing are key. Release information as it’s discovered; don’t wait to have all the answers.

Organizations sometimes hesitate to disclose a breach to their stakeholders, but this hesitation carries regulatory and reputation dangers. In any breach, your competitors will inevitably try to capitalize on the situation and paint the organization in a negative light. Sales and marketing executives must work with their security counterparts to ensure sales reps can counter competitive arguments and communicate effectively about the nature of the breach, its impact and remediation efforts the organization is implementing. Above all, make sure that all reps who communicate about a cyber incident are honest with customers and prospects.

Many customer agreements include provisions that outline how soon a customer needs to be alerted to a breach and a specific communications channel for this alert. Many organizations, however, may want to go a step further and have an executive reach out personally to particular customers. Additionally, many region-specific regulations dictate the timing of a breach notification. For example, if an organization retains any contact information for an EU resident, that organization must notify the appropriate European Data Protection Supervisor within 72 hours to maintain compliance with GDPR.

While big-name brands face the most public scrutiny in the case of a cybersecurity breach, which often involves millions of customer records, many other organizations have experienced a hack of some kind. A cursory Web search reveals that every month, tens of thousands (if not many more) of customer records containing PII are exposed through a variety of cyber incidents. Any breach, no matter how big or small, can have a devastating effect on the reputation and trustworthiness of an organization, and any reputation damage resulting from a major breach can have a lasting impact that won’t be soon forgotten. Every executive must take an active role in winning back customer and stakeholder confidence in the case of a cybersecurity breach.