The nexus of data security and crisis planning has taken on global importance recently. The rash of broad-based attacks just this last month, from the WannaCry ransomware to the more recent attack based on a variant of Petya, is effecting every industry. As the hacker ecosystem has become more automated and scalable, attacks have become wider reaching and more general, hitting any available target. This most certainly includes PR and marketing firms, since clients share significant proprietary data with us in our daily work representing their brands.
Crisis planning: not new, more urgent for agencies
We’ve been detailing the importance and elements of effective crisis planning for a while, from the need for data security to be a board-level conversation to the different stages of crisis management. What this latest attack style does is increase the urgency for every single company, including PR and marketing agencies, to have a specific data security escalation plan to match any existing product/service crisis plans they might have for clients.
Given the growing importance of marketing data as companies shift to a consumer-centric mindset, and the increased focus on marketing data management via the GDPR, we thought it worth revisiting three key planning crisis governance and execution best practices. These most certainly apply to the PR and marketing industry as we live and breathe data every day.
Develop a vetted plan
Have a detailed and documented crisis plan that includes how and when to collect and dispense knowledge, the ability to escalate to match the speed and importance of the issue, and a clear ownership structure to ensure timely decision making.
This crisis plan should always include the following elements:
- Who’s on the initial call down list and in what order?
- What’s the expected response time, internally and externally?
- Are pre-drafted responses ready for customers/partners/investors?
- Are the right communications channels set up? (email, portals, releases)
- How quickly are clients informed?
- What will be the ongoing communications cadence?
- Who is at the top of the decision tree? Who is the main spokesperson?
Execute full mission profile exercises
Assuming a vetted escalation plan is in place, make sure to run an honest and serious set of regular rehearsals. There are regularly executed fire drills, emergency management system tests, and other public safety drills that are accepted as normal and important. The overwhelming likelihood of a data breach hitting an agency needs to be taken seriously and practiced for, so when it happens, easily avoidable mistakes don’t damage the ability to protect both client intellectual property and the agency brand.
Make it a leadership/board level initiative
Whether it’s financial data or core IP, manufacturing line production data or SaaS portal for sales lead information – in the end all data is at risk. Agencies of all sizes need to reorient the definition of security and risk, address the need for revamped crisis communications policies and plan for the day when digital risk is a regular line item on the Leadership and/or Board of Directors’ monthly meeting.
Data security is an everywhere problem – PR and marketing must plan accordingly
The ease with which hackers can acquire scalable tools to continually and widely target puts all data at risk. For public relations and marketing agencies, security takes on a significant importance since clients share significant intellectual property in the agency’s efforts to represent the brand. Agencies need to not only plan to help clients meet their crisis needs, but also make sure that the agency continues to serve as part of the solution and not become part of the crisis.
Written by Derek Lyons, former Senior Vice-President
SHIFT Communications, sister company of NATIONAL Public Relations