Companies that suffer an attack on their corporate IT systems tend to keep the breach to themselves until it is too late, and this might lead to customer backlash after they find out about it from other sources.
As such, industry observers believe to salvage one's reputation companies should be strategic about how they communicate such incidents to the public, yet remain sincere in their apologies and transparent in how they are remedying the situation.
ZDNet Asia spoke to industry observers who provided tips on how companies can better manage any possible damage to their reputations after being a victim of an IT security breach:
1. Tell your story promptly
Eric Turner, owner of reputation management firm Crisis Experts, said the goal of every company after it suffers a security breach is to be in control of the message being conveyed to the public.
To react only after the incident has made headlines is too late, so companies should proactively share information of the attack with their staff, Turner advised. This is followed by informing their stakeholders and the public once the details of the attack have been confirmed. Further updates should also be provided as and when the information is available, he added.
"If a company does not beat the media to revealing the breach, they don't appear [to be] on the ball. By getting in front of the story, the company leads it rather than react to it," he explained.
Lisa Elia, CEO and founder of Lisa Elia Public Relations, added companies can use social media platforms to post updates on what the company is doing to restore its IT systems given that many people are on such online services.
2. Tailor messages to different audiences
In terms of content of the message, Michael Fleischner, CEO of PR firm MarketingScoop, said there should be some level of customization based on the various target audiences.
A generic message will not suffice because each group has specific needs and concerns that needs to be addressed through a carefully-crafted response, Fleischner advised.
That is why companies need to identify these needs and angle their messages according to each stakeholder accordingly, he added.
Augustine Pang, assistant professor for crisis management at Nanyang Technological University's School of Communication and Information, agreed. He said while the messaging should be consistent, different stakeholders would look out for specific details and information regarding the security breach.
For example, customers will be most interested in how the breach will affect them personally and what the company will do to protect them, whereas investors will be more concerned with how news of the breach could affect its public perception and, with it, its stock price and the valuation of the company, Elia pointed out.
3. Don't delay apologies
Turner noted that while an apology from the affected company is important, it must be made in context with what the organization is doing to rectify the security breach or the message will look meaningless.
Should a company apologize for the breach while revealing what happened, what it is doing about the breach and how it is looking to prevent such incidents from happening again, the apology will hold more weight, he explained.
Pang added regardless whether the attack was an inside job or from external parties, companies will always have to assume responsibility. They should thus apologize as soon as they have a clear idea how the breach took place because any delays will only increase stakeholders' suspicions and wrath, he suggested.
4. Transparency is key
Companies should also communicate openly and honestly about the incident to ensure customers have the latest, most accurate information regarding the attack and its impact, Fleischner said.
Any effort by the company to cover up or mislead its stakeholders will likely be discovered and result in permanent damage to its reputation, he pointed out.
Turner concurred. He said being open, transparent and sharing information proactively as part of dealing with the situation will help the company maintain and build its credibility.
"Don't lie, try to hide the truth, hope it will go away so no one will find out, and don't blame others," he urged.
5. Help your customers
Companies should put extra effort in helping their customers to deal with any repercussions from the security breach. This will go some way to showing their concern and maintain customer relationships which could potentially be damaged by the incident, Elia advised.
For instance, a company with a systems breach that led to their customers' personal data being accessed illegally by the hackers can help by giving their customers specific information on what they should do, she elaborated.
Customer service teams need to be taught to handle queries from the media and direct them to the appropriate spokesperson. Scripted responses and brief outlines on the incident will come in handy when the frontline staff have to field questions from customers, investors and other stakeholders, the executive stated.