It wouldn’t be a long stretch to say that companies that fall victim to an information security breach have a public relations problem in their hands. Admitting (or in some cases, just alerting—no admitting allowed) that a company has inconvenienced their clients has never been a good move. And so the spin?doctors were born.
In some cases, it seems a better term would be spin?quacks. I mean, the last thing a company wants to do if subject to a data breach is to appear incompetent. Granted, incompetence—or its flipside, a sunshine information security policy of “everything will be fine; computer theft happens to everyone else. Let’s go have a picnic and leave our laptops on a table while we go have a dip in the lake. That’s how we secure things at Pollyanna, Inc.”—is probably what caused the problem in the first place, so the quacks have their work cut out for them. But do they have to keep making weird pronouncements that obviate any suspicions on their lack of commonsense?
Consider the following statement that shows up quite regularly in data breach announcements, and of which I’ve seen many, many permutations: “We have no evidence that the stolen data will be used for unauthorized purposes.”
Read that again, just to make sure it sinks in. Is it just me? Are these people implying that they’ve had a situation where a thief leaves behind some kind of note alerting victims of what he intends to do? Of course these companies don’t have such evidence; the last thing a thief wants to do is stick around a write a thank?you note. Can you imagine some guy leaving a calling card stating what he’s going to do with the data? Would the PR guys release something along the lines of “We have evidence that the stolen data will be used for unauthorized purposes?”
Where do these senseless string of words come from? I wonder if PR people feel compelled to fill in any blank spaces on sheet of paper; I know I do when writing these blog posts. Except, I overshoot, so I’m stuck paring these things down….
An easy way to prevent PR personnel from making such ludicrous observations is to hire good public relations personnel (well, actually, it’s harder than it sounds. But, it’s infinitely easier to hire good PR people than hire bad PR people and educate them, plus clean up their mess—for which one would hire a good PR guy). This, though, fixes the symptoms and not the cause. An even easier way to make sure PR people don’t stick their feet in their mouths is to deny them PR-worthy cases.
Easier said than done? You’d be right, absolutely. Anyone over the age of ten probably knows that there is no such thing as certainty in life. The point is to lower the risks of something happening. Does your workplace use laptop computers? Get thee some full disk encryption for those, as well as for your desktops. If you use AlertBoot, you can easily manage the encryption of your business’s computers, and use the powerful reporting to implement a security audit program to make sure you (and your PR staff) don’t get caught with your pants down.