Which sounds more like an email opener you’d like to write, this one:
“Dear customers, we’ve had a data breach, and your personal information was part of it.”
Or this one:
“Dear customers, another year with no data breaches! Here’s how we’re keeping your personal information private and secure.”
That’s what we thought.
The global COVID-19 pandemic didn’t cause data breaches. What it did was cause companies to realize how easily lackluster security protocols and slack remote work policies could lead to their proprietary and customer information being compromised. In fact, nearly a third of companies will be subject to a breach sometime in the coming two years.
The pandemic is also making people feel increasingly cut off from the world they once knew, so any communication received can have an exponential impact. And with privacy matters all over the 24/7 news feed, communication from your company that discusses the measures you’re taking to protect your customers is likely to be quite well received.
While you and your teams are hard at work locking down the perimeter, ensuring that remote workers are using proper security etiquette, and enabling everyone to access the resources they need when they need them - remember you’re not in a vacuum. Your customers would love to know of the steps you’re taking to ensure their private information stays private. And think of the boost to your company’s reputation when these customers tell their friends and family about the heart-felt email they just received from your CIO, telling them about the newest round of measures you deployed.
Before You Write, Plan Out Your Campaign
Any PR firm will tell you that it’s not just what you say but how you say it that matters. And any psychologist will tell you the same thing. They would also likely agree that when you have a lot of information to impart to your audience, they stand a better chance of internalizing more of it if you mete it out in easily digestible, bite-sized snippets.
Sit down with your security teams. Talk about what steps they’re taking, have taken in the recent past, and have on the books in the coming days/weeks/etc. See what metrics they’re using to monitor progress and what their workflow looks like. Take it all in. And take notes.
Then, back at your desk, parse what you just learned. Translate the technical jargon into plain language. Be sure you’ve got answers to all of the six W’s: Who, What, When, Where, Why, and How. Decide which pieces of information you gathered are appropriate for public consumption and which are better kept internal (there is such a thing as too much information, after all).
Now, work with your marketing and/or PR team to craft your communication campaign. Mix it up, with some information going out over each of the channels you know your customers are using blog posts, videos on YouTube, think-pieces for LinkedIn, sound-bites on Instagram Stories, and memorable one-liners for Twitter. Your customers are everywhere, consuming content via multiple channels throughout the day, and you don’t want to miss any of them.
Internal vs. External Communication About Data Breaches
Our focus here is on how you talk with your customers about data breaches. We would be remiss; however, if we didn’t give passing attention to the other population, you need to be in contact with on this important subject, your employees. A recent Ponemon Institute study showed that 24% of breaches are caused by human error on the part of employees or contractors. That should be a wake-up call. Training is crucial to preventing such attacks.
The most prevalent root cause of human error in this context are phishing emails and other forms of social engineering. Verizon’s annual Data Breach Investigations Report (DBIR) has consistently shown that phishing scams account for ~90% of breach root causes. User training is the most effective way to combat phishing attacks by teaching people what to look for and how to proceed when they fear they may be being phished. There are further options as well; for example, some IAM solutions include automated anti-phishing measures that are easy to implement and can dramatically reduce the efficacy of such attack vectors. As you can see, there is some overlap in what you’re communicating, but the language and specifics will change depending on your audience.
3 Keys to Successfully Communicating With Your Customers About Data Breaches
As with any written content, voice matters; along with determining the best channels to use in your information campaign, you’ll need to set the right tone as mentioned above while staying in brand voice. With sensitive yet technical information like data breach protection activities, word choice will also be a crucial piece of the puzzle to focus on. There are three primary factors you need to remember when crafting this content: transparency, concision, and empathy.
Chances are you’ve been busy implementing detailed data protection measures. Some of these measures are likely things your customers will have heard of, like multi-factor authentication, malware protection, and even encryption is part of the lexicon these days. Keeping your customers in the know about the steps you’re taking in these areas will increase their goodwill toward you and the company.
At the same time, there are likely other steps, things like moving to a componentized infrastructure framework, automating IAM, and implementing a bug bounty program that would only serve to confuse the matter in their minds. Not to mention that making things like a bug bounty program public can raise concerns in those who aren’t aware of the beneficial nature of these programs.
So while you want to be transparent about your data security plan, you need to remain cognizant of the line between sharing enough and sharing too much.
There are two parts to this suggestion. The first is precisely what it sounds like — don’t fluff it up. Data breaches are a subject that most people don’t want to know too much about, while at the same time understanding that they do need to know something. Presenting your content using concise language, without lengthy explanations or paragraphs full of flowery language, will show your audience that you know what you’re talking about and that you value their time.
The second part of being concise is knowing your audience. It’s only in knowing who you’re writing for that you can choose the right words to convey your message so that they’ll both understand and recognize your expertise in the subject. Use too many technical words or acronyms, and they’ll lose focus. Use kindergarten-level language, and they’ll feel you’re talking down to them. Finding the right balance is something that takes experience but is absolutely worth investing the time in.
Empathy is something that seems to be lacking in much of the technical communication going around these days. Emotionless jargon isn’t going to engender the trust and confidence you want your customers to have. Sensory language, words that make them feel you truly know where they are and how they feel, that’s what you want to use. Personalize your communications; use the words “I,” “we,” and “you.” Official business communication guidelines will say to the contrary that you should never use these words, but you need your content to resonate on a personal level, and for that to work, you need to connect on that personal level.
Tell your readers a story, the story of how you understand their concerns about data privacy and everything your awesome company is doing to ensure that their information doesn’t end up in the hands of some malicious actor. Use anecdotes include stories from your own life if applicable, and most of all, be empathetic. Powerful, evocative language helps here. Malicious, contempt, fervor, resolute, steadfast; these words evoke strong imagery for most people, and that’s exactly what you’re going for. You want your audience to see that on a deep, personal level, you get it.
It’s a fact of our 21st-century connected world that data breaches happen. The COVID-19 pandemic has accelerated the timeline for companies to get their infrastructure up to scratch and seal the holes in their permeable perimeters. Now is not the time to rest on your stellar track record of zero breaches in the past two years. Rather now is the time to be working full-tilt to ensure that the track record continues into the foreseeable future and beyond.
Build your perimeter and communicate with your users to instill the trust they’re looking for and that you need in order to continue growing. Remember how you reacted to those two potential email opening lines in the intro. Which one do you think your users would rather get next week?
Get in touch with Auth0 today to start the conversation.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0s simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.