You are a software vendor and one of your key customers has a major security breach. How do you respond? The fact is that data breaches are no longer isolated incidents—in our digital world, they have far reaching ripple effects.
We are aware that when our clients, as technology vendors, have a customer that is experiencing a cybersecurity incident, our clients can also find themselves pulled into the spotlight, whether they were directly involved or not. And frankly, as partners it’s important to provide as much support as possible to protect that customer relationship.
Of course, our vendor clients and their customers will have risk processes in place for outages and security breaches, but how they both communicate can make the difference between resilience and reputational damage across the chain – from tech vendor to their customer to the end-customer/user.
So, what should tech vendors be doing to get on top of these situations?
Quickly get a handle of the scope of the issue
Before doing anything, know the facts. Particularly your tech’s part in the breach, if any. Was the tech misused or exploited or was it at fault?
In these situations, there’s no use or gain in playing a blame game. Work side by side with the customer to get to grips with what has happened and offer help. Meanwhile, you need to establish an extended crisis team with PR, legal and technical experts from both your own company and the customer to coordinate a response.
Let the customer lead
As the breach has directly affected the customer, they must be the primary communicator. The job of you as the tech vendor is to be aligned on the messaging and in some cases be ready to make joint statements if you were directly involved. If you weren’t involved, you need to know what the customer is saying publicly about the incident and be prepared to react to any media enquiries with an agreed reactive statement, which summarises all the facts, the collective position on the issue and next steps to rectify the situation.
No finger-pointing
Even if your technology was not the cause of the breach, do not get pulled into defensive or accusatory language. It does not look good whichever way you approach it and a defensive stance is never a strong one. Reputations are built on trust, honesty and transparency and a dose of humility as needed will stand you in good stead in protecting that reputation. Show some solidarity and focus on shared accountability. You can—and should—protect your brand. But do it with professionalism and empathy.
Getting media and customer prepped
If your company is associated with the incident, don’t overlook communicating with your own customers. They will likely be aware of what’s happened through word of mouth, the media and so it pays to be ready with talking points for customer support teams and sales staff. If your company has a large workforce, assign executives to filter the information in smaller meeting settings.
Media enquiries can also come thick and fast, so designate a spokesperson, walk them through the messaging and role play some of the more tricky questions so they can gain some confidence before heading into the spotlight.
A key resource is the Q&A, which is a collation of the types of questions you might face in an interview. Consider questions like:
- Was your platform involved in the breach?
- What are you doing to support your customer and their end users?
- Are other customers at risk?
- What steps are you taking to prevent similar issues?
Make this an opportunity
You might be surprised to hear that a crisis can actually be a great opportunity – to show transparency, responsibility and that you are not just a vendor, but a partner. It sends out positive trust signals to other potential customers that you can handle and even avert a crisis unfolding and shows that you have had the foresight and expertise to plan for these situations.
Leading on collating the collective lessons learnt once the incident has died down also shows a commitment to improvements and continual learning.
We live in a world where data breaches don’t respect boundaries. Even when the breach isn’t yours to fix, your response speaks volumes to this customer and others. Tech vendors who respond with clarity, calm, and cooperation will protect their brand and even strengthen their relationship with the customer.
