Managing Marketing: Being On The Front Foot Of Data Breach Crisis Management

Rhys Ryan is CEO of Porter Novelli Australia and has worked extensively on cyber security and reputation management. He has spent 15 years with Porter Novelli in Sydney, Melbourne, and the US, as well as a six-year stint with Edelman in the US, too—in New York and San Francisco. 

In this episode, Rhys discusses how to be proactive and prepare for strategic communications, issues, and crisis management, especially around data breaches. 

You can listen to the podcast here:

Follow Managing Marketing on SoundcloudPodbean, Google Podcasts, TuneInStitcher, Spotify, Apple Podcast and Amazon Podcasts.

If you’re a brand custodian for a well-known brand, it’s a real concern. You’ve got to be really thinking about that because you are going to end up in the headline regardless of who’s at fault or regardless of how bad it is.

Transcription:

Anton:

Hi, I am Anton Buchner, senior consultant at TrinityP3 Marketing Management Consultancy.

Welcome to Managing Marketing, our weekly podcast where we discuss the issues and opportunities facing marketing, media, and advertising with industry thought leaders and practitioners.

Today, we’re talking corporate reputation and risk, especially around data breaches. And our guest today has worked extensively around cybersecurity and reputation management.

Please welcome to the Managing Marketing Podcast, CEO of Porter Novelli Australia, Rhys Ryan. Welcome, Rhys.

Rhys:

Hi, Anton. Thanks very much for having me today. Great to be on.

Anton:

Good to have you. And this is such a hot topic. Each day or each week it seems, we seem to open up the news and hear of some other data breach or an extortion attempt.

And yesterday, I think it was the day before I was reading about the latest RockYou 2024 breach, where almost 10 billion files have been released into a forum. So, it seems to be omnipresent in our sort of digital world, doesn’t it?

Rhys:

Yeah, I’ve been working heavily in this space now, for five to seven years. Really, it kicked off with the change to the notifiable breach scheme back in 2018.

And that’s when it really changed because if you’ve lost someone’s personally identifiable information and that could cause a risk of serious harm, then you’re now, legally obligated to notify.

And that’s what really kicked off this increased interest in data breaches. Think before that a lot of them were actually just going through to the keeper because companies weren’t required to notify.

And for many years now, we’ve been working more and more heavily in the space as we tend to create relationships with specialist insurers and law firms. I keep thinking that people are going to become blase towards it, and it just doesn’t happen.

And the media interest in it continues to be intense. And I think there’s a combination of factors that influence that.

But I think one of the key ones is that a lot of the time people actually have to take action. If you’ve lost their ID documents, or their credit card numbers, or their tax file numbers, they’ve got to take time out of their day to fix that. And that is a huge problem for people who are busy and have better things to do.

Anton:

It’s almost a conundrum, isn’t it? We want this digital world, want everything to be seamless and want things to be easiest. We’re uploading, as you say, all our documents.

But when something like this happens, we tend to go, “Oh my God, what are people going to do with my email address or with these documents or other information we give?”

I’m really interested to pick your brain here because you’ve worked with some of Australia’s and the world’s leading companies in this area. For those listening, and the senior managers I think will also be really interested in some of the reputation management and crisis management areas you’ve been working on.

You’ve spent as part of your background, 15 years, I believe, with Porter Novelli, both in Sydney, Melbourne, and the US. And you’ve done a stint in between six years with Edelman in San Fran and New York as well.

So, maybe give us a quick background for all the listeners, what you’ve come across and how it’s changed a bit over the last decade or last five years.

Rhys:

Yeah, certainly. I came out of broadcast journalism originally and then went into communications consultancy 21 years ago. And certainly, over the past sort of 10 years, you can see the shift in the way consumers in Australia in particular, view the relationship between privacy and convenience.

And that relationship has been changing a lot up until about 2015, where I think we were so in love with all the newfangled things that our gadgets could do, that we were willing to pretty much wave all of our privacy rights in order to get more convenience.

And the innovation was just so fast. Companies like Amazon, and PayPal, and obviously Apple, they brought so much innovation and ease and convenience into our lives.

But I think over the past 10 years, what you’ve seen is, I think that innovation slowed a bit, or at least it hasn’t become as so apparent in our lives.

Some of the coolest things that Apple have done, probably they did between 2007 and 2015, and then every new iPhone seems to just have a slightly different camera.

And so, I think there’s a bit of that, and that will probably change again as the machine learning and AI really starts to take off.

But the other thing I think is in the mid-2010s, right about 2015, 2016, the Cambridge Analytica scandal, and Meta, and Alphabet, the Google company, started to have some of these reputational scandals.

And it kind of became clear to people that in a lot of these instances, we’re not the customer, we’re the product. And the level of cynicism started to grow.

And I remember when the Cambridge Analytica scandal happened, the person who was the spokesperson for Meta Australia at the time said, “Well, if you are not willing to give up your privacy for convenience in the 21st century, you’re not going to like the 21st century very much.”

And there was absolutely no contrition there at all. And I thought that was really interesting.

And then in the last few years, I think that pendulum started to shift back. And the research we did last year showed that people’s willingness to forego their privacy for convenience is actually starting to wane back the other way.

And I think the way is open for people or for a company and companies that can innovate. So, they are protecting your privacy and not holding your data in perpetuity in order to give you some convenience.

A lot of the time we surrender our data, which is worth something to a marketing company for nothing. And we don’t even get free delivery or something in return.

I remember when I worked in San Francisco, there was a company, it was a startup that had an encryption key that basically allowed you to give your data to a big e-commerce marketing company so they could use it and then take it back again so that they didn’t get to keep it without giving you something for it.

Anton:

Yeah. I think on to that point, I mean, I’ve seen, and we know the privacy principles are changing, seen to change here in Australia but I’ve seen a lot of companies move to ask as customers or consumers whether you want us to hold your data still, you’ve got options to opt out.

You’ve got options now, to reduce the footprint that they hold on you. So, I think that’s a good move.

So, I think as you are saying that there’s a trend of either we don’t care too much and maybe it varies with different demographics and different attitudes. Interested in your thoughts, maybe the younger don’t care at all.

I mean, anybody ever read the Ts and Cs when you’ve signed onto an app or signed up to something new. And others are extremely careful and cautious and want encryption and all that sort of stuff.

Rhys:

Yeah, no, it’s certainly split down demographic lines as you’d expect when you look at what the concerns are and what we’re concerned about. Those over about 55, 60 are much more concerned mainly with the sort of general suspicion of technology. Younger people, more blase.

But I think the other thing is, when we think about people who are sort of “old” quote unquote these days, like I’m 47 and I’m sure to a 25-year-old, I seem old. But when the internet really went mainstream with the worldwide web, I was 17, so I grew up with it.

And I had a Facebook account when some of the people who work for us were still in primary school. So, I think the idea that old people don’t get this stuff is probably mostly relegated to people over maybe 65 or 70, I would say.

Anton:

Yeah, a bit of fallacy.

Well, let’s talk about data breaches, because obviously communication is critical, and that’s the world you work in. We’ve seen with a telco relatively recently, last year here in Australia where communication was relatively slow. And you’ve got all sorts of different stakeholders to manage and obviously how do you get information out.

And I was reading just today that Ticketmaster had a data leak on 39,000 tickets. So, printed home tickets where they’re holding an extortion threat against Ticketmaster with those particular tickets that have been sold.

So, as customers, it’s like, when do you communicate? How do you communicate? What should a company say? But what’s so important about the communication side firstly? Might be really obvious, but let’s get back to basics.

Rhys:

I’ve got a lot to say about this, Anton. So, I won’t say it all at once, but mainly we get brought in for the most part when it’s going to be a problem for an organization reputationally, that they’ve had some form of data breach or cyber incident.

So, we don’t often get to see the ones that are pretty run of the mill and go through to the key part.

But you’ve got, with a data breach or a cyber incident, it’s essentially a technology problem and a business problem, an operational problem until it gets to the point where people outside of your organization learn about it or all of your employees or other stakeholders learn about it. And then it’s really purely a communications and reputation problem.

And I find that what often happens is that companies and organizations of all sizes have extremely varied levels of preparation for that. And that tends to be a big problem.

So, when you think about the way these things sort of occur, if you have, say, a ransomware attack, which is probably the most likely reason for this sort of incident which you might need to say notify people for, there’s often this terrible sort of what we call the valley of uncertainty.

When you know you’ve had an incident, you know someone’s accessed your system. You know they may have taken some data or accessed some data, which may in the end require you to notify people that you’ve lost their personally identifiable information.

But you don’t know who, and you don’t know what the data is. And it might be days or weeks before the forensic investigation can come to a conclusion on that. Or it might never, because it just might be so difficult to understand that they can’t come to a conclusion on it.

But in the meantime, if that becomes public, then you’ve got to make a series of choices about what you communicate, how much you communicate, when you communicate, and with whom.

And that’s where companies get into trouble because the way they communicate does not align with the expectations of their stakeholders. And those expectations are different for every company or organization. And so, you see-

Anton:

What are the timeframes, Rhys? Are we talking hours here, or days? You brought in sort of, I feel it’s a bit MI5 or FBI where you’re brought in, and you’ve got some hours to crisis convene.

Rhys:

Well, unfortunately, it is very horses for courses. So, with one, for example, where the client we had almost went out of business, had to rebrand and it was really tough for them. That was publicly sort of acknowledged at the time.

But they had someone tweet at them and say, “Hey, I think you’ve got a vulnerability here.” And unfortunately, the IT security people sort of didn’t take it very seriously.

And then six weeks later it became clear that they had a cyber-attack. But unfortunately, they were a publicly traded company whose customer set were large banks.

So, as soon as this became somewhat known, the banks said, “Well, we’re not going to deal with you at all until you sorted this out.” Which is what they would normally do, which is what you do as a prudent risk averse company.

So, their revenue went from half a million a day or something like that to zero. And at that point they had to tell the ASX of course. And we got brought in an hour before the ASX statement went out.

So, you can imagine how difficult it’s to try to manage that. It was on the front page of the every paper the next day. And we still didn’t even know anything. We didn’t know anything about this attack who’d done it, where it come from.

Whereas with some other organizations, we get brought in, we say, “Look, we’ve had a really nasty attack. We know the threat actor. It’s Medusa or BlackCat or one of these Russian threat actors. We know their MO.”

“We’re already negotiating with them to try to buy some time. And we should be finished our forensics investigation within a day or two. Then we’ll know exactly if we have any obligations to notify. We’ve got contractual obligations to notify some of that B2B customers, we’re doing that.” It’s all very controlled.

The challenge is when you get that thing where becomes public or it’s going to become public before you are ready to communicate fulsomely. For example, a threat actor might say, “You’ve got seven days to pay a ransom, and then we are going to start dumping data on our leak site.”

So, you’ve got seven days, but it’s already day four because the email from the threat actor went to your spam box and you didn’t notice it or whatever. There’s all these sort of endless machinations.

But what we’re always trying to do is buy a little bit of time so that when we do communicate, we’re not just confusing and alarming people by saying, “We’ve had a huge cyber-attack and we don’t know anything. So, good luck.”

Like that’s not going to make anyone very happy and it certainly is not going to be good for the way it’s covered in the media and that sort of thing. So, a lot of the time, we do tend to hold back a little bit if we can until we’ve got something we can say that’s actually accurate.

And in terms of your obligations, I mean, you’re not really obliged to notify people until you have evidence that you’ve lost this PII that causes risky serious harm. And you’ve got 30 days to do that. So, legally you’ve got time, but in the court of public opinion, you don’t.

So, no one ever sits there till 29 days before they go and tell customers they’ve lost their data, because the first question is, how long have you known about this? And once it becomes public, then the clock’s ticking anyway because everyone knows when it happened.

Anton:

So, you talked about preparation, that’s obviously critical. You’re talking about the support at notification. What other roles communication do you get involved in?

Rhys:

Well, when it comes to prep, obviously, we encourage all of our clients to have a specific cyber incident response plan. And that’s really should lean heavily towards the first sort of 24, 48 hours.

So, having really clear escalation and diagnosis protocols so that you can spot — anyone in the organization who’s sort of customer facing, can see an incident, can see an issue, and escalate it to the right people within your IT security team so these things don’t go unchecked.

And then you have a simple plan that allows you to convene the right people to respond, bring in the experts you need, like specialist legal, specialist, forensic, whoever it might be. And get that process rolling immediately because it’s that first few hours and days that you can really make gains so that later you don’t have to explain why it took you a week to do something about it.

And then that within that, we also, would always recommend that we do this for a lot of our clients. You have a suite of pre-prepared comms because the comms you need from a written point of view in any data breach are pretty similar.

Like you can pre-draft a lot of that content to about 75 to 80%. And then have it all legally approved and ready to roll, so that when you do have a data breach, it’s really a matter of just updating the specifics and then you can do it much faster.

Because sometimes you might need to communicate with internal audiences, external audiences, regulators, other government stakeholders, other customers, B2B customers. There’s a huge range of comms that have to be prepared. They’ve all got to be legaled. They’ve all got to be looked over by insurers.

And so, if you are trying to start a 60-page comm pack from scratch, it’s going to take a long time. So, we always recommend prepping all that. I think-

Anton:

And, Rhys, have you noticed that’s different in Australia versus America? Did you notice or pick up that America is more alert?

Rhys:

Yeah. It’s different here because we have this notifiable breach. It puts so much more pressure on companies that have to notify really quickly. And that’s caused this sort of ratcheting up of consumer expectations.

And I think the other thing is, I think that when you do have an incident, if you’re a marketing company or within the marketing function, it’s really important that you have a set of guiding principles that you’ve agreed to before you have an incident.

So, in the event we have this sort of incident, these are the ways we’ll behave. And mostly they refer to your level of transparency and communications you’re going to engage in. Because every organization has a completely different expectation on them from their stakeholders in terms of how transparent they’d be in this sort of incident.

So, we’ve worked on a number of these sort of incidents for charities or similar sorts of organizations. And their employees are extremely mission driven and their donors expect that they would be this organization wouldn’t hold back information that could help them avoid harm and that sort of thing.

So, they would often be a lot more transparent than they need to be or a legally obliged to be in an incident.

Whereas if you’re a B2B company that is a privately owned company, then you’re probably going to be a lot more reticent to go out there and sort of shoot yourself in the foot by telling oh, it’s under, you’ve had a data breach if you don’t have to.

So, being really clear about how you’re going to do that beforehand tends to inform everything else.

And so, our role in communications is obviously just that massive amount of content development, helping liaise with media and craft a strategy that helps you basically tell everyone you need to tell without telling anybody else.

And then the second part of it’s just helping with that sort of pub test because we work in this day in, day out. We can tend to advise our clients on what the current sort of mood is towards this sort of thing. It changes over time.

Like we had one for a really big charity that occurred two weeks after the Medibank and Optus fiascos. So, the temperature was at 150.

If that happened now, it wouldn’t be that big a deal, but for them it was enormous because it was a week before they started their annual giving appeal where they get 60% of their donations for the year, which are all done through an online portal, et cetera.

If their donors felt like they were not a secure organization, it could have been catastrophic for them. And by extension for the hundreds and thousands of children that they support.

So, that was something that we’re we had to be very careful because we knew there’s an expectation on them to be transparent. But while we didn’t really know who’d been affected yet, we had to be really careful about the way we communicate about.

And we had a very kind of careful media strategy to make sure that we were telling everyone we needed to, but in a way that killed the story within a few hours, essentially and not giving it oxygen.

Anton:

I was keen to delve into that a little bit more because ultimately reputation management, it feels from an outsider looking in, there are no hard and fast rules. So, as you’re talking about maybe it’s the mood, the temperature.

But how do you juggle that damage to reputation if it’s going out through social media and the social media advocates are out there spruiking any possible scenario versus different stakeholders. So, how do you advise on reputation recovery? Or how do you advise on reputation management on a scale?

Rhys:

Yeah. So, I’m always surprised when I see people announce a data breach like they’re launching a product, we want to tell everybody.

Like for the most part, the way we see it is that rather than broadcasting to everyone about it, the way that the news environment is now, it’s so fragmented that if a story hits the Daily Telegraph and West Australian and is on ABC a couple of times, the vast majority of Australians are not aware of it.

And really, if you had an incident, you’re the victim of a crime but no one’s a beginning to give you any sympathy for that. So, there’s no win situation. It’s about can we have a bad day or a really bad day? We’ve got to get to bad. And we always talk about trying to get to one bad day instead of a rolling wall of crisis.

So, we talk about narrow casting to stakeholders as opposed to broadcasting to everyone. So, once you’ve talked to anyone who’s actually like notified an affected individual and giving them everything that you can give them to support them and help them protect their privacy and do all those things.

Maybe you’ll pay for them to access ID care or get a free credit check and that sort of thing. Or pay for them to replace their ID docs, that sort of thing.

So, you do all that, then obviously you’ve got to notify the regulator, you’re going to tell all your employees, and some of the affected individuals might be former employees, et cetera. You’re going to tell your customers and stakeholders, suppliers, and partners.

After you’ve done that, you don’t really have any, as far as I’m concerned, moral legal obligation to tell anybody else.

Now, the media will want you to tell everybody else because it’s a great clickbait, but unless it’s something like say an Optus or something, it’s not really a public interest story as far as I’m concerned.

So, we try to answer the questions the media have, but we don’t really have any interest in trying to make this a big story. So, data breach stories are actually inherently very boring without humans in them to talk.

Otherwise, all you’ve got is some data was stolen and a picture of a guy on a hoodie huddled over a keyboard. And that’s about it. So, if you can avoid putting a spokesperson in front of it, you do.

Now, that’s my sort of 9 out of 10 breach rule. There’s always going to be one where it’s so catastrophic or the company’s done the wrong thing and they need to own it, or they need to be really transparent that they need to actually get someone out there to talk to it and own it.

And I think that that does happen from time to time. And a lot of the time that happens because the biggest risk in this stuff is third party risk. So, most of the time when you lose data, it’s not because you lost it, it’s because your IT service provider lost it and you are just affected by it.

And that’s where I think putting your supplier gently under the bus without looking like you’re trying to pass the buck is a tricky thing. But it is important that you do it.

And a good recent example was probably Monash Health came out and said very clearly that this is a really bad one that’s happened, and we’ve lost people’s very sensitive health records because they’re a third-party supplier. Lost them.

And it is very tricky in that situation when you are not responsible, but you are the household name. So, you are going to be out there in the headline. That’s what you might want to own.

Anton:

It’s your reputation at the end of the day, isn’t it? Whether you’re using third party or not.

Rhys:

And that’s the challenge. We’re generally working on behalf of a third party that’s lost others’ data. Or we’re working for the other one that’s been affected by a third-party data breach. And generally, in both situations, the household name’s going to end up in the headline.

So, if Coles Supermarkets has a supplier that has a data breach where they’ve lost some of Coles’ customers information, you’re not going to put Anton’s IT support in the headline. You’re going to put Coles in the headline.

So, you’ve got to own it. You can’t be the victim and you can’t try and throw them under the bus. But you can gently remind people that this is a criminal attack, and we are working with our third-party supply to try to understand who’s affected. That’s the thing.

Anton:

Yeah. I mean, on a personal level, I have that with the schools, you might have seen it too, where the schools schooling system uses third party apps for a lot of communication and supplying photos and all sorts of things of the kids.

And the last two years have had to agree whether we want that third party platform used by the school, and do we allow that sort of content to go onto that platform for our children, et cetera, et cetera. So, I think we’re getting trained and more and more used to this.

But I like what you said earlier that it’s possibly the media getting excited over the headline or getting excited over a headline, then it tends to die down pretty quickly. In my perspective a day or a week later, it’s gone.

Rhys:

If you’re a brand custodian for a well-known brand, it’s a real concern. You’ve got to be really thinking about that because you are going to end up in the headline regardless of who’s at fault or regardless of how bad it is.

And that’s one of the problems with going too early. We always talk to our clients about not breaking into jail. So, if you go and hit the trigger too early and say, “We’ve got to get out there and tell everyone, we’ve got to be seen to be transparent.”

And I do agree that you always want to do the right thing in any crisis scenario. You’ve got to be human and you’ve got to … I always talk about the time machine, like you can’t get in your time machine in two weeks’ time and go back and do the right thing and then come back and say, “Yeah, we did the right thing.” You’ve got to do it in real time.

So, you’ve got to stop and think when you have a crisis, if I were affected by this, what would I expect our company to do? And then do those things because you can’t go back.

But having said that, we’re really wary of going early because you never know what the forensic report’s going to say. And you’ve seen multiple instances of big companies coming out making definitive statements only to have to walk them back later.

Anton:

When they find out the real.

Rhys:

Which is really bad, and it’s not really their fault. Forensics comes back and says, “Oh, we found another 10 gigabytes of data that’s been stolen or whatever.” And everyone’s sort of freaked out.

We had one a couple of years ago with a small health insurer where the initial report was, we’ve lost 186,000 people’s full records. But we’ve got to actually validate that. That’s just our initial read of it.

And they wanted to kind of go out and start communicating and we really pushed them to say, let’s just white knuckle it and hold fire. We’re going to tell the people we need to tell for sure, but let’s just wait till we get the full report.

In the end, it took about a week and a half of pretty hairy situations where we kept thinking it was sort of going to go public and it didn’t. The number of people that we actually had to notify was 23. Not 23,000, 23.

And if we’d gone out and told people we lost a couple hundred thousand people’s records, it would’ve been catastrophic for that insurer.

I mean, you look at what happened to Medibank, they lost 13,000 customers in the first quarter after their data breach. And that was just the first quarter. That was just the people that probably actively left. Imagine what happened to all their renewals over the next year.

So, this organization could have lost 5,000, 10,000 members. That’s millions and millions of dollars that they would’ve forgone. And I just think sometimes you’ve got to be judicious about when you go out and communicate.

If you don’t have to and you don’t have all the facts, it’s worth waiting a day or two. Because the reality is that the people whose data’s been taken are under absolutely no threat whatsoever.

So, if you are BlackCat and you’ve stolen 600 gigs worth of unstructured data from a bank, it might take you two years to go through all that data if you wanted to. Which you don’t because you’re just trying to use it to ransom the bank.

And if you’d end up giving it to someone else, it would take months or years before anyone could actually use that data. And they wouldn’t anyway because It’s not being stolen for that reason. It’s not being stolen to use, it’s being stolen to ransom.

So, I think a couple of days to get your ducks in a row and make sure you’re not shooting yourself in the foot is probably good advice for [crosstalk 00:27:35].

As you said before, it does go back to that idea about making sure that your CX is aligned so that what your customer’s expectations are of you are aligned with the way you behave in crisis.

So, that’s how I always try to think about it. Like it’s amazing to me how good your CX is when you are trying to sell me something. But then when you have a crisis and I try to find out something from you, all of a sudden there’s lawyers everywhere and no response.

So, I think if you can try to make your customer experience consistent when you’ve had a crisis as to when you’re trying to sell something, you’ll get a much better outcome.

Our research last year, we talked to people about sort of six best practice parts of the way you communicate when you’ve had an incident. They’re not rocket science. They’re just transparent communications, timely communications, those sorts of things.

And when you ask people about how they feel about a company when they do all those six things, or when they did all those six things, when they’ve experienced a breach, the net promoter score, the intention to repurchase, the intention to recommend, all those things are quite high actually.

I think sometimes if you behave really well in a crisis, you can actually strengthen your relationship with your key customers. And you-

Anton:

Well, that’s what I wanted to ask you because I’m hearing you talk, and that customer experience keeps going in the back of my head where there definitely is an expectation of how the company should act.

And I think the general public and maybe the media is getting more and more vocal on you, “Tell us more. Tell us as much as you can.” And there’s sort of the demanding on one side.

And then the experience of everything you’ve been talking about internally, where you’re going through the machinations of trying to find out what degree this is and how you should act.

So, how are you balancing those customer experiences, both I guess an internal experience for staff and then that external experience you were just touching on?

Rhys:

Yeah. So, I think there’s two things. One is, as I said, I think sometimes you do have to communicate even when you don’t have all the facts and in typical crisis management fashion.

Which is to say we’ve had an incident under which an unauthorized third party has accessed our system. We’ve immediately done X, Y, and Z. We’ve secured our systems, we’ve launched an immediate investigation.

At this stage, there’s no evidence of blah, blah and blah. However, we’ll continue to update on a daily basis until that investigation’s complete. And any other extraneous information you can add.

Like for example with this one we did recently with a large member-based organization, we’re able to say, “While our investigation’s ongoing, we can confirm that our member data is stored on a separate server from the one that was impacted. So, generally, our member data is unaffected.”

So, we weren’t able to say definitively that no members are affected. And in the end there was nine members affected because the other server had some unstructured data on there. But we were able to say to the bulk of our tens of thousands of members, it’s unlikely. And that’s enough for most people.

And you can also provide that to media, but also, in an email to members and to staff and say, “However as a precautionary measure, change your passwords, make sure you’ve got MFA enabled, all those things to protect yourself.” And then you can go out and sort of say, “We’ve completed the investigation and done this.”

So, sometimes there really is a good cause to do that. In this case, the main reason was we were trying to negotiate with the threat actor to buy ourselves some time so we could complete a forensics report.

And the threat actor went and dumped data on their dark web leak site. It was a sample of data to say we’ve got this stuff.

And we anticipated that they would do that because they usually do that after about seven days. So, we were ready to go on day six with that interim communication. So, there’s that side of it.

Like I think you do need to actually communicate. It’s more just about timing it as best you can.

But I think the other thing is there’s a lot you can do to prepare so that you are actually thinking about your customer experience and making sure that if it does happen, you have ways of continuing that customer experience.

So, a good example of that is we recently did a cyber incident response plan and simulation for a very, very high-end luxury car brand.

And we were talking about that continuity of CX, and I was sort of like if one of your customers rings up and says, “Hey, I’m thinking of turning over my vehicle, it’s been three years.” They’ll get a call back in 10 seconds.

Or someone will answer and immediately help them and look after them. And they’ll get a private car will come and pick them up at their residence to bring them in for a test drive and all that. That white glove service experience.

And then you have an incident, and they call up and they get an answering service or you’ve called it a busy time or please email us and we’ll get back to you. That’s not going to cut it.

And I think that would be such a clunk, it’s such a break in the brand promise where we’re willing to go above and beyond for you no matter what. Oh, unless we have a problem.

And then it becomes clear to the customer that the brand promise is actually stacked in the company’s favor and this is a B2C situation. It’s asymmetric and they actually care more about the shareholders than they do about you.

And it’s just a massive clunk and it’s really hard to recover from that. Whereas if they ring up and they get a human on the phone who says, “Yes, absolutely sir, we’ve had this incident. I can’t answer all your questions, but I can take them down. I’ll make sure they come back to you ASAP.”

And so, the outcome of that was they’ve now gone and started a relationship with a call center and have pre-trained a group of people so that if and when they can stand that up in a couple of hours and have people answering the phones to angry customers.

Anton:

To be constantly ready. Yeah.

Rhys:

Yeah. And that’s just simple prep. But it takes that sort of, you have to go through the process and go, if we did happen, what would we actually do in real life? And do all those things beforehand.

Like we couldn’t recommend strongly enough having existing contracts with a call center, with forensics specialists, with specialist legal team.

And a lot of that comes through if you’re insured with cyber insurance that is all covered by that. That’s how we are usually brought in within an hour or two, we just jump straight in because the insurer contracts with us.

But that is so impactful in that situation. I mean, can you imagine trying to deal with a data breach where your active directory is down, but also, trying to get a call center signed up and get contracts signed and all. It’s just [crosstalk 00:34:17].

Anton:

Yeah. Not me. So, it sounds like yeah, aligning that customer experience, as you said, to whatever your brand position is and whatever customer experience you’ve created, make sure you have that in place in terms of preparation and plans for any incident or attack.

I wonder whether it sounds to me there that it’s something like AI technology in contact centers could start to take hold here where it’s not a real person, but at least it’s someone who sounds relatively human that’s taking these calls. Especially if it’s floods of calls to whatever company.

If you can’t manage answering all those phones at once, then maybe AI is going to help you to be the immediate flick of a switch. If we’ve got a reputational issue at least the questions can be asked.

Are you calling about this incident? We’d like to help you. That sort of letting you know that everything you’ve said, letting you know it’s underway. We understand it’s difficult for you. We’ll get back to you as soon as we can.

Rhys:

Yeah, certainly. And we’ve used those sorts of things before for really big ones. So, we had one last year which went out to hundreds of thousands of people. And it was quite sensitive.

So, normally if you send out a million notifications, you get about a 0.3% response rate, phone calls and emails. So, it’s pretty small. So, you might get 3,000 or whatever it is, out of a million.

But we thought we were going to get more. And we did because it was very complex. And it was people’s health information and that tends to make people very concerned. Mental health and that sort of thing.

So, we had chat bots set up via their website and socials so they could answer simple FAQs. And then we had the call center, had some of that sort of biometric data laid into it so that if you had a simple question, they could direct you to the website where there was a detailed FAQ.

And then if you didn’t, then it would take you through to a call center operator who would eventually have to probably refer you to the lawyers. But at least you can thin it out. So, generally if you’ve got a question like, why have you held my data for so long? Then you can probably answer that with FAQ on a website.

But if it’s more like, I want to know exactly what dates my data was held and I want to know exactly all the data by way. So, some of it might actually need a lawyer to look at it before it goes back.

Anton:

To delve in, yeah.

Rhys:

And you want to make sure that you’re not getting lawyers to look at hundreds of those because you are going to rack up some significant cost. So, yeah, there’s certainly a role to play for AI and technology, especially with large volume breaches.

Anton:

Yeah, yeah. And you’re dealing with emotional distress, you’re dealing with functional issues like you talked about. I know you’ve got this data on me, so has that gone? So, I can get the feeling of how sensitive this is and difficult balancing act.

Rhys:

Usually there’s three kinds of people who come back to you. There’s often sometimes sort of older folks who maybe are just very concerned and don’t quite understand what’s happened and how it works.

You get lawyers who come back to you and demanding information. And then you get what we call cyber heroes, which are CTOs, CIOs, CISOs, people who run network security for big companies and want to lecture you about how poor your security is and then go and post on LinkedIn about it.

So, there’s always a handful of those with every breach as well. And they often want to really have a crack at you, but you just got to try and answer their questions as best you can and as respectfully as you can for the most part.

Most people want to have one crack at you and then they feel that they’ve had actually a way to voice their displeasure.

Anton:

I’m not sure we can answer this, but I was intrigued when you talked earlier about the extortion or threats and releasing a portion of data onto the dark web or whatever the extortion threat is.

Can you share like what sort of numbers are we talking about? What percentage of challenges are actually paid out? Or do companies actually pay out, or?

Rhys:

Yeah, for sure. Yeah. I mean, I couldn’t tell you specifics about that, but there’s 1,500 or 1,300 notifiable breaches to the office of the Australian Information Commissioner last year, the IRC. So, they’re notifiable in that you couldn’t remediate, so you had to notify.

But if you paid a ransom and got all your data back or proof that it was deleted, you’ll then receive legal advice that they don’t need to notify because you’ve remedied the loss of data.

I saw one survey from MCNICOL that said something like 70% of their customers said they’d paid a ransom at some point. So, if there’s 1,300 being notified, I’d say there must be at least dozens or hundreds of ransoms being paid from Australia each year.

And it’s not illegal. Unless obviously the organization’s a prescribed terrorist organization, then it is illegal. But you can certainly get legal advice that says in this circumstance it’s appropriate to pay a ransom.

And when you think about it, if someone had your daughter, you’d pay a ransom. It’s a similar thing. You’ve got people’s data, and as a customer, my attitude is pay the damn ransom, get my stuff back. Don’t send me a letter saying you’ve lost it. Pay the ransom.

And I think the misconception out there is that somehow the threat actors will then re-extort or they won’t act honorably.

But if you play it out, that there’s absolutely no incentive for them to do that. Their business model relies on people believing that they’ll give it back and trusting that they’ll delete it and give it back. So, they’re generally pretty trustworthy as far as criminals can be.

And some of these organizations are very well organized. They’ve got big teams call centers, HR, vacation, the whole bit. You do see a bit of a slowdown in September, October because all the people over there in Eastern Europe and Russia are all on holiday.

And generally, the problem comes sometimes because their pricing strategy’s wrong or they’ll ask for way too much money, or the organization that they’re trying to extort doesn’t really understand how it works.

So, when I’ve seen ransoms paid, they’ll come in and ask for 500 USD and we’ll engage an experienced negotiator, and they’ll get them down to maybe 70. And that’s usually covered by insurance anyway, if you’ve got an insurance policy.

So, it actually is pretty strong incentive to pay the ransom if as an organization it’s not inconsistent with your values and no one knows about it yet. I mean, often the problem is that the ransom is off the table because it’s public knowledge that you’ve been attacked. At that point, you’re probably not going to do it.

But certainly, the professional negotiators that we work with, they’re fantastic. They’re sort of ex-FBI types, and they know all the threat actors and they collect data on them. So, they can tell you with a lot of accuracy how long before they’re going to do X or Y, what we need to do.

And even they’re quite accurate in their estimates of what they can negotiate them down to. So, it gives our clients a really good look at what they’re actually up for and what the risks are, which is really great. It’s a sort of funny little cottage industry that ransomware negotiation.

Anton:

Can imagine. And you said something earlier about a bit of honor, honor and thieves.

Quickly picking up on that point, what chance does the corporation really have to know that the data has been wiped or has been supplied back and they haven’t kept copies or they haven’t to put it somewhere else? Is it a leap of failure?

Rhys:

Well, I mean, look, I’m not a forensics expert, but there are certain programs and tools you can use to permanently delete product data. And they’ll usually do something like send you a video of them doing that, using that tool. Or evidence that they’ve deleted it off their system.

Like I said, you can’t really trust that. But if you know that your data was stolen by BlackCat and then your forensics team picks up three weeks later that some of that data’s floating around the dark web somewhere, then BlackCat’s done. Everyone will know immediately that they didn’t delete that data.

And so, like I said, they’re not always trustworthy, but the ones that are more established, there’s a lot more of a track record of a body of evidence that they do behave well.

And that’s often what happens when we have a new one. We can’t necessarily vouch for them in that way. So, it gets quite tricky to make predictions about what they will or won’t do.

Anton:

Interesting. Fascinating.

Rhys:

Which makes harder to manage. Because some of them are like, okay, we’ve got seven days from today and before they do X. And so, you can sort of plan. You’ve always got a plan for contingencies, but generally, they’re pretty accurate.

And they’re still, like I said, running 25 of these at once. They make a threat, they don’t always carry it out, that sort of thing. But they can a bit mercurial.

Anton:

Yeah. But it’s a fascinating area. Again, it’s a niche where when you’re inside the industry, you get it. But the listeners and people outside the industry potentially I think what you’re saying is really intriguing because there’s a lot of science behind what you do and obviously how you can act.

For anyone listening, how would you sum that up? How can they prepare? They may already be preparing, how would you challenge them, anyone listening to get proactive and have certain steps in place, what would you say?

Rhys:

I would say the first thing you must do is look at your data retention policies. And if you are carrying ID documents, credit card numbers, or tax file numbers as a business, you should be asking your exec team and your board why you are holding that data. And if it’s not absolutely critical to your business, then get rid of it.

And there’s ways that you can deploy technology to find ID documents floating around in unstructured files on your system and delete them.

So, I think that is one thing. It causes untold heartache for businesses when they’ve got inboxes full of PII that doesn’t need to be there. So, scorched earth on old data, particularly employee data.

Second thing I would say is have a cyber incident response plan that’s specific to cyber incident, not just a general crisis plan that leans heavily towards the initial escalation and diagnosis and the first response to that plan. How do you convene your team? What are the first 10 things you must do?

The third thing I would say is have relationships with the experts who can help you in the event you have an incident. It doesn’t cost anything to set those up. But they’re worth having when you need to move very quickly.

And the fourth thing I would say is make sure you’ve got guiding principles set up so that you all agree before you’re in the heat of battle, how you’re going to behave in the event of an incident, including whether you would not pay ransom.

So, if for some reason your organization would never pay a ransom under any circumstances, and there’s lots of companies that would be in that boat, agree that beforehand so you don’t spend half a day arguing at a board level about whether you’re going to pay ransom. Because that does happen.

And then the last thing I would say is as part of that incident response plan, get some pre-draft comms materials together, and you can think through those in a fairly common-sense way.

So, CEO’s going to have to brief the team. What are their talking points? They’re going to have to send an email to the team. What’s that email? What’s the notification for stakeholders? What’s your letter to partners and suppliers? What’s your letter for B2B contractual partners, et cetera. And actually, you can pre-draft a lot of those things.

And one other thing I guess is worth noting is we’ve been talking pretty much exclusively about your obligations under the notifiable breach scheme, where if you’ve lost someone’s PII, you have to notify them if the consequences will lead to serious harm.

But there are a lot of businesses that have contracts with large organizations where the barrier to notification is much lower and much faster. So, you might look through a contract you’ve got with a big customer and it says, if you lose any of our data under any circumstances, you must notify us within two hours.

And I think it’s really worth if you’ve got say, a range of really big customers who are important to your business to have a look through those contracts and make sure that you maybe have a little catalog or database of what your obligations are, so you can be informed if you have an incident because that can be quite difficult as well.

A lot of the worst ones we’ve dealt with haven’t been sort of an issue from a notifiable breach scheme point of view, that’d been an issue because big customers just cut you off when you’ve had an incident.

If you’re in an industry which is pretty commoditized and there’s a lot of strong competition and your customer could easily just cut you off and go to your competitor, then that’s a real risk.

Anton:

Yeah. Fantastic. Rhys, I’ve thoroughly enjoyed talking to you. We might have to get you back for a round two. I feel there’s so much more we could talk about. But, Rhys, look, I really appreciate your time and your thoughts here.

Rhys:

Yeah, thanks very much, Anton. It’s great to chat and as I said at the start, we could talk about this all day.

Anton:

Well, thanks. Anyone listening you might want to reach out to Rhys Ryan at Porter Novelli, Australia, either the sanity check or jar in crisis, as a good porter call.

But thanks again for joining us on Managing Marketing. As I said, if you’re listening to this episode and you’re really enjoying the podcast, please share this episode. Throw a like on, put a review on, and spread the word. It’s the wisdom from the people we’re talking to that hopefully you find interesting.

So, Rhys, thanks again.

Rhys:

Thanks very much everyone.