{"id":12251,"date":"2024-01-17T13:03:12","date_gmt":"2024-01-17T13:03:12","guid":{"rendered":"https:\/\/www.eskenzipr.com\/?p=12251"},"modified":"2024-01-17T13:05:46","modified_gmt":"2024-01-17T13:05:46","slug":"crisis-comms-and-cyber-attacks-cybersecurity-pr-2024-2","status":"publish","type":"post","link":"https:\/\/www.eskenzipr.com\/2024\/01\/17\/crisis-comms-and-cyber-attacks-cybersecurity-pr-2024-2\/","title":{"rendered":"Crisis Communications and Cyberattacks \u2013 Lessons from 23andMe"},"content":{"rendered":"

In our digital economy, cybersecurity breaches have become a daily occurrence. Organisations of all sizes must therefore conduct business knowing that it is a matter of when and not if, they will succumb to a cyberattack. And, when an attack does occur, having the right crisis comms strategy in place is critical to communicate with stakeholders, restore trust, and demonstrate how the issue is being resolved. For those of us working in cybersecurity PR, we see time and time again how a poor crisis comms strategy after a breach can exacerbate negative sentiment, and can sometimes create more damage than the breach itself.<\/p>\n

With that said, the start of 2024 has provided an example of how a company should not <\/em><\/strong>act when faced with a security incident…<\/p>\n

Recall in December 2023, when 23andMe, the personal genomics and biotech company that is famed for using genetics to learn about ancestry, announced it had suffered a data breach with hackers stealing information relating to 6.9 million users \u2013 estimated to be half of the customer base.<\/p>\n

Fast forward to January 3, when faced with over 30 lawsuits from its victims, 23andMe shifted blame for the cyberattack to its victims to absolve itself of responsibility.<\/p>\n

\u201cRather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,\u201d Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch<\/a> in an email.<\/p>\n

From a crisis comms standpoint, 23andMe\u2019s response to its breach misses the mark completely. When the focus of the news is on the way a breach has been handled, this can result in irreparable reputational damage and often significant financial losses for the company.<\/p>\n

In the case of the 23andMe breach, the decision to blame the victims has fuelled negative press, dodged responsibility, and failed to express any compassion towards those impacted.<\/p>\n

While this is probably heavily driven by the company\u2019s legal department, the letter\u2019s tone has angered customers and fuelled backlash.<\/p>\n

Ultimately, in many cases, the average person may not know that their password has been compromised elsewhere. It is up to an organisation to make sure that its security measures are robust enough to mitigate any end-user risk.<\/p>\n

Publicly downplaying the risk and deflecting blame is undoubtedly poor PR. Cybersecurity breaches have become an unfortunate fact of modern life, making it critical that all organisations have a crisis comms plan in place, so they\u2019re prepared to respond properly if an incident occurs.<\/p>\n

Without this, companies risk misjudging their communications strategy, significantly exacerbating the fallout from a breach.<\/p>\n

Once more, after the breach<\/strong><\/p>\n

As a bare minimum, your company should have a tested crisis communications plan in place, with all major stakeholders and spokespeople trained in the necessary processes. Then, in the event of a security incident, it is possible to act in the best interest of not only your customers, but also the company and its reputation, by:<\/p>\n