Breach Handling & The High Ground

1600 words, 8 minutes.

Breach Investigation

You’ve suffered a breach. Your security was circumvented. Data was lost and the public, shareholders, media, and perhaps regulator must soon be informed. A chain of events has begun. What you do next will determine in large part where that chain leads. In this post I’m going to talk about a tactic I’ve seen used to successfully re-frame a bad situation and nudge the narrative in your favour.

This approach works to rehabilitate your company faster in the public mind. It allows you and your management team to get back to the real job of making sure this never happens again. It’s worth considering, because “doing better”, “working diligently” and “learning lessons” isn’t persuasive.

Those sound bites do nothing to halt the public autopsy of your failure. It doesn’t matter that they may be true. As each incision is made, as each organ is removed and weighed, those charged with fixing the problem will continue to bleed morale. A demoralised team isn’t very good at delivering on any of those promises. If you have been so unpersuasive that you’re fired, or your company goes under, it wont really matter how much you meant it when you said you were “truly sorry”.

A Recent Case

That’s the attack on PR dogma over. Let’s remind ourselves of what a bad breach looks like as it unfolds. The story of the moment is Equifax.

  • Mar. 10 NIST make public details of a critical vulnerability and patch.
  • 9 weeks pass during which Equifax could have applied a patch but didn’t.
  • May 13 - July 30 Hackers breach Equifax, steal data on 44% of US.
  • Aug. 2 Equifax contacts Mandiant to assess what has been compromised.
  • Sept. 7 The breach is publicly announced.
  • Sept. 8 Equifax shares drop 14%.
  • Sept. 11 US Senators demand a timeline and explanation.
  • Sept. 12 The CIO and CSO “retire”, CEO makes a public apology.
  • Sept. 15 Equifax has lost one third of its market capitalisation.
  • Sept. 21 Firm admits it has been directing customers to a bogus help site.
  • Sept. 26 CEO “retires”.
  • Oct. 2 Company reveals 2.5m additional US consumers are impacted.
  • Oct. 10 They lost 15.2m additional UK consumers records.
  • Oct. 12 Site hacked (again) with malware download.

Things we haven’t seen yet but probably will soon:

  • Ransom demands.
  • Drip-feed of leaks as “proof” from hackers.
  • Panoply of lawsuits.

Perception Is Reality

Most of the articles you’ll find on breach handling describe a technical and operational reflex. What to do with your Information Technology systems. Technical first-aid. To stick with the medical analogy, those articles explain how to identify, cauterise, clean, and suture the wound. SANS produce this excellent guide for post-breach “emergency medicine”. I’d struggle to improve upon it. This post isn’t about technical first aid; it’s about your communications strategy. It’s about framing and persuasion.

If you suffer a breach, it’s worth improving on framing and persuasion because whether or not your operational response is good, you can still be damaged by public opinion and negative coverage in the media.

If your technical response isn’t exemplary, then framing and persuasion may be the only thing you have standing between you and “retirement”.

Why Take A Different Approach?

The first rule of Public Relations in these situations is to make a thorough and contrite apology. To draw out the poison, acknowledge it, draw a line under it, and move on towards redemption and eventual forgiveness. It makes perfect sense. It doesn’t work.

At least it doesn’t work as well as it used to. The days when a public dissection could be halted by a well rehearsed “we’re terribly sorry, we’ll do better, let’s move on.” are gone. Journalists need to file articles and have deadlines to meet. If your breach can be turned into an exciting serial, or addictive detective story, then all the better. Thousands of online publications demand a high volume of content to fill space between ads. The more inflammatory the headline, the more clicks. The more clicks the more ad revenue.

A dull, dry technical breach, enabled by simple negligence becomes a story about an embattled CEO’s fight for survival. A partial leak of personal financial data becomes a story about corporate power and regulation. A hack of dating profiles becomes a tale of gender discrimination. Apologising won’t shift you out of the blast-zone.

The High Ground Manoeuvre

I’m going to show you an alternate communications strategy. It isn’t universally applicable, and not everyone will be able to carry it off. It has limits. However, it’s a strategy that has been very successful for companies like Uber and Apple and it might work for you if you suffer a breach.

Uber had its license revoked in London due to a litany of complaints and incidents involving drivers. These included numerous sexual assaults and a sword attack on the police outside Buckingham Palace. Uber admits it failed to report drivers on multiple occasions. Had it done so then fewer incidents would have taken place. Here’s their apology from the new CEO Dara Khosrowshahi:

Did you catch the part where Dara apologised? Neither did I. What did you take away from the message?

“Work with us."

Remember when the new iPhone 4 suffered from dropped calls and poor signal? The world’s greatest smartphone from the worlds greatest technology company had a schoolboy error in antenna design. Here’s Steve Jobs saying sorry in July 2010.

“We’re not perfect. Phones are not perfect. We all know that. But we want to make our users happy." - Steve Jobs, CEO Apple Inc.

The Steve Jobs reality distortion field was so powerful that you forgot you didn’t hear an apology. He reminded you that the whole industry has problems with signal (because nobody likes an ugly protruding antenna). He reassured you that Apple will make this good with users. Later Apple proposed a solution, which was received with relatively little fuss. What message did Steve leave us with?

“We want to make our users happy."

The approach that Jobs and Khosrowshahi took is different. It portrays the CEO in a strong position. It takes control of the narrative, but doesn’t try to alter facts or lie (to do so would be futile). It alters the listener’s perception of those facts by changing the frame.

It works because it completely encircles the opponent’s position (by admitting a problem and not lying). It then elevates the discussion to a higher plane. If you try to return to the detail it makes you look petty, one dimensional, small-minded. Like a protestor with a single rehearsed question or accusation and no follow-up game.

Putting Equifax On Higher Ground

Let’s see how we could have used this communications technique at Equifax. I’ll admit now this is a difficult task given the details of the breach. Here goes:

“Millions depend upon quick and easy access to credit."

“Facilitating that means opening up peoples private data."

“Nobody is immune from hackers, not even the intelligence services."

“We want access to credit to continue to be easy, and will do everything we can to ensure private data is better protected."

Compare it with any of the statements from Equifax.

I’ve seen this technique used a few times although not for data breaches. It works best in a consumer context where people feel personally slighted by something a company has done or an accident that shouldn’t have happened. I don’t know if the technique has a proper name. The closest thing I could find was what Scott Adams describes as the “High Ground Manoeuvre”. If anyone knows the proper name then I’ll update the post. I should have done more research. I’m truly sorry there wasn’t time. I’ve let you down. Actually forget all that. Try this:

“Many companies will suffer a data security breach at some point."

“Most won’t have access to professional crisis management advice."

“With limited time I thought it more important to explain the technique than research its origin."

“I want you to have the best chance possible of recovering from your breach."

Obviously it’s better to avoid a breach in the first place. To do that read my short series on Winning Systems for Cyber Security Practitioners. I think it’s worth your time because winning systems endure, while configurations, products, and even skills, are fleeting. If you intend to try and use the high ground manoeuvre get some practice. It has limits. To sharpen your technique you might want to test those limits. I’ll start you off in the comments section. Good luck!

Breach Investigation

Nick Hutton

Engineer, Investor, Founder, Product Manager

London, England https://blog.eutopian.io