These things are the “third rail” in technology public relations, which is my forte. Talking about it seems somewhat akin to admitting you have an STD.
After advising many cybersecurity companies over the years, I thought I’d issue this call for greater transparency. We work across the tech industry – and there is not one area that has higher sensitivity. Very few customers of such solutions want to say anything about their precautions, let alone stumbles.
But they should come clean, and ‘fess up to problems when they occur, according to the basic tenets of crisis management. As the saying goes, the coverup can be worse than the crime. Google learned this painful lesson recently, when reports made it clear that they sat on news about a massive breach. The company got pounded in the press (on top of other negative news) and wound up shutting down Google+.
No, you don’t want to shout about every small glitch from the rooftops. But big problems will get outed sooner or later – why not try to get ahead of it rather than let the delays compound the damage? The far better approach to crisis management is to rip off that Band-Aid – admit your mistake, explain, apologize, and rectify. Where I come from, it’s called being a mensch.
It is also understandable why some might think they are protecting themselves by staying mum about security posture. Most say they don’t want to tip their hands or wave a red flag in front of the angry bull that is the hacker community. The silence on the topic may give people a false sense of security.
Rest assured, every organization, every individual is a target. The threats are constantly evolving and growing more sophisticated. Talking about security will not increase vulnerability. Conversely, organizations have a responsibility to explain how they are protecting themselves – and their employees and customers’ sensitive data. They can do this in a way that doesn’t give away the keys, i.e. share enough info to instill confidence yet not empower hackers.
A proactive and positive communications program won’t repair damage from fraud and ID theft or keep you on the right side of laws and regulations that protect consumers. But some of the greatest damage caused by security lapses can be to brand and reputation – which in turn can adversely impact other things, like stock price and sales. It is here that good old PR and crisis management can help.
I urge a more open conversation. If there have been mistakes, admit it and fix them. Regardless, make your security precautions known; reassure customers, employees and others that sensitive data, networks and facilities are safe. Don’t be afraid to speak publicly – not to throw down the gauntlet to hackers – but in a positive way, that shows you are aware of dangers in the ever-changing threat landscape and bringing measures in line.