Cybersecurity crisis communication: How to do it well
Riviera Beach is one of the several cities and towns in Florida which have recently been hit with ransomware. Its local government, like that of Lake City before it, decided to pay the ransom demanded by the attackers to get their files decrypted.
They have also chosen to hire “an experienced crisis communications manager” and have been telling journalists to direct all questions regarding the incident to that public relations firm.
So, what does crisis communications management usually entail?
Preparing for a crisis
Paula Averley, owner and principal consultant at cybersecurity PR agency Origin Communications, says that companies should always be prepared for potential crises, and that the first step of defining a crisis management strategy should be to undestand what a crisis could be within your specific organization.
Next: you’ll need to identify a crisis comms committee – a group of people working across the business who will be responsible for the strategy and for seeing it through.
“The crisis communications plan should include a detailed incident response plan, which addresses each type of data breach the business might face, setting out everything you’ll do at each phase, i.e., pre-crisis, during and post-crisis. It also needs to include the details of the committee, responsibilities for each member and their contact details,” she notes.
The to-do list also includes:
- Appointing expert spokespeople in every region the business operates in (to avoid issues with timezones) and setting up media training so they’re ready to be interviewed
- Identifying the audiences you need to communicate with – including employees, shareholders, stakeholders, the public, partners and the media – and determine what the needs of each will be in the event of a crisis.
Your first priority should be those directly affected, but during the crisis you’ll need to communicate with all of your audiences, from when the crisis starts to when it ends, she notes.
“Be factual, be truthful, communicate clearly and empathetically with the people affected. Be open and transparent. If you’re still working out what’s happened and you’re not quite ready to give a detailed response, say so. Prepare a holding statement for each audience and keep updating them as you learn more details.”
Finally, she recommends roleplaying what would happen if a breach occurred, in order to test and rehearse your plans.
“Don’t assume you’re sufficiently prepared to handle a crisis. It often demands more groundwork than you realise, and an elementary crisis plan and generic messaging will not be enough,” she adds.
“Don’t forget internal communication. Employees across the organization will be instrumental in managing and communicating about the crisis, so build them into your plan. Your approach might include in-person meetings, the intranet and emails.”
During the crisis
One of the challenges in tackling a crisis is to ensure that the notification of the crisis and its management is communicated internally through the right channels and via the crisis comms committee – before rumour, incorrect information or negative reactions start to do the rounds within the business.
If a breach happened, determine how it happened: it’s important to know whether there was any failure on the part of the organization, either due to a lack of control in its systems, processes, policies or technology.
“Establish exactly who was affected, and how – what data has been exposed, and what could the impact of this be? What do you need to tell those audiences, and which channels will you use? If personally identifiable information (PII) was involved, you’ll be subject to the reporting requirements set out in the GDPR framework. The biggest challenge will be the need to notify the regulators and those affected quickly, but also be accurate in the information you convey,” Averley points out.
She also warns against keeping mum and hoping that the media won’t be interested in what happened.
“You don’t want to be caught on the back foot if the media does run with the story; this will only make the situation worse. Being vague or silent will make you look shifty and dishonest, which will damage customer trust and the reputation of your brand – maybe irreversibly,” she says.
“Also, be ready to accept responsibility for any part your organization has played in what happened. If you need to apologize, do so. Explain what you’re doing about the cause of the crisis, then again, explain how you’ve remedied the situation and the measures put in place to prevent it happening again. Show evidence of this. Provide a ‘call to action’, e.g., a support page on your website and a help line.”
When dealing with media enquiries:
- Brief your expert spokespeople fully and provide them with as much information as possible, not only about the crisis, but about the media that are interested in speaking to them and the kinds of questions they are likely to ask.
- Don’t be tempted to answer questions or agree to an interview before you know the facts.
- Don’t say ‘no comment’ or try to hide away. That will only send the wrong message.
“Journalists ask tough questions because it’s their job to hold you to account on behalf of their readers and viewers. If you don’t prepare by training and practicing in how to answer challenging questions you won’t feel confident when it comes to the crunch, and this will come across – making you look cagey and ineffectual,” she adds.
After the crisis
The event that has precipitated the crisis is getting distant in your rearview mirror, but you still need to communicate with all of your audiences, to reassure them and to demonstrate that the remedies and prevention measures you’ve put in place are working.
“Show that you’ve learned from the experience, and if you’ve made changes – for example in your cybersecurity process – describe exactly what these are. Lastly, as well as considering what went wrong, consider what went well and tell the media, your customers and other stakeholders about this too.
Post-crisis, you should keep in touch both with the media and your different audiences to rebuild the relationship and trust. If you’ve handled the crisis well, there should be latent trust and credibility that you can build on.
“Don’t go overboard trying to impress them or ‘woo them back’, but continue to communicate regularly, as you did before the breach, about your news and developments,” she advises, and points to Norsk Hydro as great example of how to respond to a (cybersecurity) crisis.
“Norsk Hydro handled its recent crisis in a competent and transparent way, which suggests it had a solid response plan in place prior to the event. In particular, it made sure communication continued well after the event, and demonstrated how its employees rallied and worked together to respond to the attack, which indicates that the organization communicated well internally as well as externally.”