So your organization has been hacked. Well, if only there had been a warning that there is an eminent threat that exists against entities large and small. People should be doing more stories warning of identity theft, hacking, data breaches and the like. We just don’t hear much about it these days.
Since you have been completely blindsided, and are clearly a victim in all of this, take some time to figure out what could have went wrong. But before you announce to your stakeholders, customers, employees and their family, partners, sponsors, etc. that their personal information, and the fact that the organization itself has had its insides examined in the hands of thieves – whatever you do, don’t tell them right away – give it at least a good month or two. Or tell them initially it was just one or two people and when that wears off, say just kidding it affected thousands – the formulas for revealing the hack are endless – time to put that creative juices hat on. After all, it’s just people’s livelihoods that are at stake, there are more important things to do right now, like think about how you’re going to make yourself not look too shabby in all of this.
First things first, since you haven’t been made aware that there is a problem of epidemic proportions concerning hackings and the like, not only have you not protected the sensitive data that you hold, you most certainly don’t have a crisis communications plan in place. As those things are most effective, throw it together – just look around your office and grab one or two people (or we have found eenie, meenie, miney, mo is effective) and have them put together a plan on how to tell everyone how the organization cares deeply about its stakeholders, customers, employees and their family, partners, sponsors, etc. but has put zero safeguards in place and that their personal information is now in the hands of thieves (for inspiration check your local greeting card aisle, there may be a section now devoted to this area – perhaps under Sorry for Your Identity Loss). Put something about identifying gaps too, and how you’re going to now protect their personal information – be unwavering, yeah that sounds good. Hmmm, maybe offer some monitoring protection, because monitoring once something goes haywire with their personal information is the way to go – that’ll be a lot more helpful then it would have been protecting them in the first place.
Whatever you do, make sure you position yourself as a victim in all of this, and lucky for you, you have company! You can cite all of the other victims who also didn’t see it coming…the government, major insurance companies, large corporations, mom and pop stores – all blindsided.
Going forward be glad this doozy is behind you. View it as something you will be stronger from experiencing. Sure now you have to dole out some extra time and money to put some haphazard safeguards in place for appearances sake and maybe add a line to your organization manual, but when it happens again, chances are your stakeholders, customers, employees and their family, partners, sponsors, etc. have already had their information compromised someplace else too, so no harm done.
Fortunately, for you, this is commonplace.
photo by clyde robinson