History has taught us that no matter how hard we try to reduce the likelihood of an employee breach, it can still happen. Despite strict hiring and screening practices, clear policies and regular refresher training, human nature is unpredictable and your employees may expose your organisation to:
- employment practices liability risks such as sexual harassment, defamation or discrimination
- professional liability risks such as compromising customer data
- injury liability risks such as a fall or other accident in the workplace
- fraud risks such as embezzlement or procurement fraud.
The impacts of reputational damage can include lower profits, lost customers, erosion of shareholder confidence, increased staff attrition, a negative workplace culture/morale, and lead to higher costs per hire to make up for the poor reputation. The impacts of the worst breaches can linger for decades, making reputation repair a critical priority for leadership teams.
Below, we share some steps organisations can take if they suffer reputational damage due to an employee breach, lessening the impact of the blow and shortening the time to reputational repair.
1. Get out in front of the problem
Staying silent about an issue or hesitating too long to admit fault will only make it worse. Acknowledge that an employee breach has taken place, apologise, and then detail the positive steps the organisation is taking to address the problem with a focus on transparency. Don’t make the mistake of saying you will take action without providing details about what those steps will be.
For example, Optus responded to the September 2022 data breach with an apology, a statement explaining that it immediately shut down the attack, detail about exactly what type of customer data may have been exposed, and advice on what customers should do next to protect themselves. Since then, Optus has released regular ongoing updates about its cyber response.
2. Take responsibility
In the case of an employee breach, it may be tempting to try to direct all the blame towards the individual involved and hope the issue “goes away” after their employment has been terminated. But the organisation should also take responsibility for allowing a preventable issue to happen, either through ineffective employee screening, poorly implemented policies or procedures, or gaps in the internal control environment.
Again, any public statement should include an explanation of the steps you have taken so far (such as terminating the employment of the individual involved) and the steps you are putting in place to reduce the risk of this happening again.
3. Conduct a thorough investigation
A thorough investigation is not only necessary for pinpointing the causes and formulating a remedial action plan but is a vital step in restoring public confidence. Engage an external party to carry out the investigation to help bolster a perception of fairness. Focus on transparency, documenting the findings of the investigation and keeping the public updated as it proceeds.
Bolster public confidence by being transparent about the third-party agencies your organisation will be working with in response to the issue. After the 2022 data breach, for example, Optus announced it was working with the Australian Cyber Security Centre and had notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.
4. Follow through on remedial steps
Words and action plans are not enough to rebuild trust with customers, regulators and other stakeholders after a significant breach. People will want to see evidence that changes have been successfully implemented in the organisation and will make a difference in the long term.
For example, after a safety breach that resulted in an employee being seriously injured, the organisation should provide evidence of how it has:
- Implemented new or enhanced employee compliance monitoring to ensure all staff have the required certifications and onboarding. Cited, for example, provides risk and compliance managers with instant visibility of their entire compliance status regardless of where their sites are located or the number of staff they are tracking. Cited generates all the reporting and evidence needed to stay on top of risk issues and provide confidence that risk factors are being addressed.
- Improved and strengthen onboarding and other training programs to further mitigate the likelihood of a similar breach occurring again.
- Created and maintained a positive Safety Culture to help reduce the risk of reoccurrence. Steps may include reinforcing a safety-first message, gaining support from senior executives, bolstered training and communication, encouraging people to speak up about unsafe practices, gathering and responding to feedback, and enhancing workforce inductions.
Save time investigating compliance breaches
Investigating the causes and background of risk issues such as a workplace accident can generate a lot of additional work for compliance professionals, taking them away from their day-to-day workload. Cited generates all the reporting and evidence you need to stay on top of risks related to workforce compliance and (in the event of an incident taking place) gives you the power to begin investigating immediately.