By Michael Fox, Managing Partner, ICR
The immediate aftermath of the latest Company data breach – this one affecting a record 143 million people at consumer credit bureau Equifax – brings to mind the popular definition of insanity: namely, doing (or in this case not doing) the same thing over and over again, yet expecting a different result.
After watching countless corporate brethren fall victim to a cyberattack and suffer the ensuing consequences of lost customers, declining share prices, irate regulators, damaged reputations and more, you would think most companies – especially one with a business model based on storing and safeguarding sensitive consumer financial information! – would have prepared for the potential of this catastrophic event.
Yet clearly Equifax did not.
Of course, a company’s first responsibility is to do its best to prevent unauthorized access to its systems in the first place (a duty which Equifax is reported to have neglected, based on allegations that the company failed to install a basic web server software patch in a timely manner and that it was using weak, generic passwords at one of its overseas subsidiaries). But if there has been one clear lesson from the data breach epidemic over the past five years, it is that every system has vulnerabilities and there is no way to protect yourself or your data completely.
Against this backdrop, it is even more important – and one would think obvious – that companies need to presume this could happen to them and develop a response plan in advance. Doing otherwise would meet the aforementioned definition of insanity.
A lack of preparation is evidenced across the board in the case of Equifax: the absence of a robust website able to withstand a large volume of consumer traffic; insufficient call center capacity; unclear and, at times, conflicting statements about what occurred and when; tweets that accidentally directed consumers to a fraudulent website (which could have been used to wreak further cyber havoc); extended delays in answering basic questions; and flip-flopping announcements on what remedies they would provide impacted individuals.
Yes, 143 million people is record scale for a data breach, and even the best planning may have been deemed insufficient by certain members of the public, but the depth and breadth of confusion, disorganization and inertia in this instance is staggering.
The disciplined process of a Crisis Vulnerability Assessment is expressly designed to unearth the broad range of threats that an organization could potentially confront. Could Uber have predicted the flurry of sexual harassment claims? Should United Airlines have anticipated the possibility of an innocent passenger being forcibly removed from a plane? Was Facebook surprised to learn that one of its advertisers was not who they said they were?
All of these scenarios can be anticipated, even if not in excruciating detail, in advance. More importantly, developing Crisis Scenario Plans, which “war-game” each individual threat through its myriad permutations, are necessary to fully understand, and thus to fully prepare for, exactly how a crisis might manifest in real life. Through this, the company can better understand the specific implications of the event and the required response, allowing it to take the preemptive steps to identify the right response team, define precise action steps, develop actual material and assets – websites, call centers, third-party support, etc. – and, importantly, expose the range of questions it would need to answer in response to the hypothetical event (and then work to determine what those answers should be).
But even with a comprehensive plan in place, the mind has a way of blocking out pain, or the expectation of pain. We have all sat in the exit row of an airplane and received the instructions for what to do in case of an emergency. But how many of us are actually able to visualize exactly what we would do if that plane crashed in the water – which way would we turn first? Would we grab the life jacket? How and when would we open the emergency exit door? Would we look to assist other passengers?
In the fog of war, it is very difficult to make the right decisions if they have not already been practiced and ingrained in the minds of the first responders. That is why a Crisis Simulation Exercise is absolutely critical to completing the preparedness process. Over the course of a 4-5 hour period, the key corporate executives are chaperoned through a real-life crisis in real time, where they confront the scenario and the inevitable escalating flow of events head on, including media inquiries, social media posts, regulatory pronouncements, employee reactions, NGO protests, shareholder revolts and whatever else could result from the given event. The individuals are forced to work together to develop response plans and action steps, seeing firsthand the implications of their decisions and the speed at which the situation unfolds. Only then are they able to truly appreciate the magnitude of the task and the critical need for advance preparation. Invariably, this process exposes holes in the process that need to be addressed.
To be clear, creating detailed crisis plans and simulating these situations at Equifax in advance would not have saved the company from the illegal breach it experienced. But it would have been much stronger, quicker and effective in its response. It is important to remember that while a crisis is technically a negative event, it is also one that places the company in the spotlight – a place that most want to be. It is an opportunity, even amidst the controversy, to build brand equity and strengthen relationships. That opportunity has been missed in this case and the reputational damage suffered will likely impact the business for many years to come.