With data breaches and cyber-attacks at the forefront of business leaders' minds and a hot topic at this week’s Senate estimates, Tim Lele explains why saying sorry matters.
The latest report on Australian cybercrime from the Office of the Australian Information Commissioner (OAIC) came with good and bad news.
The good was that breaches were down 16 per cent for the first six months of 2023. The bad news, there was still a whopping 409 data breaches.
On Monday night at Senate Estimates, Australia’s information and privacy commissioner, Angelene Falk, revealed that despite the Albanese government increasing the size of potential fines for organisations experiencing a data breach, no Australian company has been fined in the last two years.
But fines are far from the only concern for businesses sitting on swathes of data. Going back only a few short years, organisations were hell-bent on gathering as much data as they could about their customers. But now, that’s flipped.
Businesses are now looking at the data they gather as a potential risk, holding only what’s deemed business critical and deleting the rest. But organisations remain exposed.
In the last 12 months, some of the most prominent breaches at Latitude, LJ Hooker and Medibank saw hackers gain access to sensitive data through a back door left open by third-party suppliers.
Yet another shocking example is the recent breach at telemarketer Pareto Phone, which exposed donor information from more than 70 of its charity customers, some dating back five or more years after when it should have been removed. It’s an all-too-common story.
Around half of Australians have now received the dreaded call from an organisation to tell them their data has been stolen or exposed. However, as cybercrime becomes more common, the speed and authenticity of crisis response remains inconsistent.
Pizza Hut Chief Executive Phil Reed wasted little time saying sorry last month after the personal information of 193,000 customers was breached. “I sincerely apologise for any concern that this incident may have caused,” he said.
Yet not all CEOs are so quick to roll out the S word when shit hits the fan.
It took more than a week for Medibank’s CEO to front up and apologise, despite the worst-case scenario of his customers’ most sensitive personal medical data being exposed.
"I am very sorry this has happened,” CEO David Koczkar told 9News after appearing to be literally backed into a corner.
But it’s not David’s fault. It’s often the misguided pseudo-legal advice organisations receive or believe: that they should avoid saying the word “sorry” out of fear it could be seen as an admission of guilt in a court of law, or worse, public opinion.
This defensive approach leaves spokespeople dancing around the elephant in the room, with little space to provide genuine empathy for the impact on stakeholders. Whether the company is at fault or not should be irrelevant.
From our research and legal advice, the idea that saying sorry would damage your chances in court is nothing more than a furphy.
Not saying it, however, is likely to damage your reputation. And how you manage reputation in a time of crisis, by acting and communicating quickly, can have longer-term impacts on your business than admitting guilt.
A US study found companies with a fast and effective crisis response experienced a six per cent rise in share value, while those with a slow response lost 21 per cent over the following year.
It didn't matter if the issue was a cyberattack or an accident, companies that were prepared to respond quickly and effectively saw an increase in their share price. Their reputation rebounded and even improved.
So how can you manage a cyber crisis to not only protect your reputation but enhance it?
The first step is to put fault and ego to one side.
In a cyber-attack, it's often unclear who is at fault. Is the business a victim of a sophisticated attack, or was it negligent and left the door open? According to the OAIC, a third of breaches in the past two years were caused by human error as well as a “large proportion” by hackers. Often the truth sits in the murky middle, and we may never know.
So, the organisation needs to get used to communicating without all the facts and be willing to apologise for the impact on customers, even if you’re not completely to blame.
An honest, heartfelt apology delivered proactively can take the heat out of a crisis and show your audience that your priority focus is them, not protecting your own backside.
Being a spokesperson during a crisis is about more than what you communicate, how you deliver a message is just as important, if not more so. And practice makes perfect. That’s why companies should be conducting regular crisis simulations and crisis media training, to test spokespeople and decision-making under pressure.
Even without lawyers whispering in their ears during crisis media training, many spokespeople show a reluctance to apologise.
Saying sorry doesn’t always come naturally. That can be a cultural thing for some businesses or spokespeople who aren’t used to communicating transparently.
On the other hand, some people are naturally more empathetic and can connect to how the audience they’re speaking to feels. Only by putting your spokespeople through tough interview exercises can you identify who can handle the heat and communicate with authenticity under pressure.
Getting comfortable as an organisation on who, how and when you communicate in a crisis before one strikes is critical to a coordinated and effective response.
If you don't, you may leave yourself with more to feel sorry about.
Tim Lele is the Director of Public Relations at Keep Left.