Table 2 in Verizon’s 2011 Data Breach Investigations Report suggests that data breaches occur frequently in relatively small companies.

Table 2. Organizational size by number of breaches (number of employees)

1 to 10                                        46

11 to 100                                  436

101 to 1,000                           74

1,001 to 10,000                   49

10,001 to 100,000 59

Over 100,000                       55

Unknown                               40

It may be that these smaller companies have not had the time to construct and test their defenses; hence they represent “low hanging fruit” to attackers either outside or inside.  Larger companies may be more attractive due to their size and potential, but they may also be much more difficult to penetrate.

Regardless of being large or small, it is worth noting that in today’s world there is a high probability that something bad will happen.  It could be an external hack, a social network mistake, or a concentrated effort by external groups to convince you to change your ways (See:  http://www.1goodreason.com/blog/blog/2010/05/19/nestles-social-media-meltdown-case-study/ )

The astute CMO understands that something bad will happen and consequently has a tested Marketing recovery plan in place.  Like an IT or Manufacturing/Operational contingency plan, the Marketing recovery plan swings into action when an “event” occurs.

For example, a small public hi-tech company might wake up one morning and discover that its intellectual property (IP) has been hacked.  Assuming that this might have a material impact on earnings, Management has the responsibility to disclose this information to the SEC and communicate it, in the best way possible, to shareholders and other interested stakeholders.

In a small company, how would this crisis be handled?  Does everyone know what to do?  Who speaks to the press, the SEC, investors, suppliers, employees?  Who instructs customer facing people what to say, how to gather responses, etc. etc.?

Having a tested recovery plan in place mitigates some of the immediate panic and uncertainty when an event occurs.  It certainly is not the time of “on the job” training.  As the voice of the company, it is the CMO’s responsibility to construct and test the Marketing recovery plan.  This includes getting Management’s buy-in on how a response is constructed and communicated.  Failure to act appropriately can severely damage a company’s image and tarnish brands forever.  Both the Chrysler-twitter embarrassment and Epsilon’s reaction/comments to its data breach have been criticized as to how they were handled. On the other hand, the Red Cross got kudos for how it handled a potentially damaging tweet.  See: http://mackcollier.com/red-cross-social-media-crisis-situation/

Does your company have a tested Marketing recovery plan?  Is the Marketing department prepared to lead the way when a crisis occurs?  Knowing that it is a matter of when, not if, an “event” occurs, shouldn’t you be prepared?

RHM  4/27/2011