THE IMPORTANCE OF GOOD COMMUNICATIONS DURING A CYBER ATTACK
If there were any doubts left as to just what a real and significant threat cyber-attacks are to organisations, Friday’s global malware attack should have dispelled them.
The attack, widely publicised by the media over the last three days, disrupted patients and doctors at one in five NHS trusts across the UK, but also hit companies across the world from Australia to Russia. The latest count is over 200,000 victims in at least 150 countries – many of those will be businesses including large corporations.
There’s no doubt that such attacks are becoming increasingly common. According to the Cyber Security Breaches Survey, published in April 2017 by the Department of Culture, Media and Sport, nearly half of all UK businesses have suffered a cyber breach or attack in the past 12 months. Seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions.
We have got to a stage now where companies should be prepared for when, not if they suffer a cyber-attack. No business or organisation is immune, regardless of size, sector, geography or the level of protection they have in place. When cyber-attacks occur, crucial services are compromised and, if not handled correctly, they can be hugely damaging both from an operational and reputational perspective. And yet, despite their increasing prevalence and obvious cost, some businesses remain unprepared or unable to effectively communicate an attack to key stakeholders.
So here are my key communication principles for preparing and managing a cyber-attack:
Preparation is everything: It’s impossible to prepare for everything, but making detailed preparations for the most obvious contingencies equips you and your communications team to handle most eventualities. Conduct regular audits to check you have the right collateral, resources and processes in place and plug any gaps you identify. Look at your people: do they have the right skills and resources at their disposal to effectively manage an issue? If not, provide them with the necessary training and resources to enable them to do so. And finally, rehearse how you would respond to an issue through regular simulation exercises. The more practiced your response, the better it is likely to be if a scenario becomes a fully-blown reality.
Take control: At the start of a crisis, no one knows very much. But the world needs to know that you’re gripping the situation and taking responsibility for its swift and safe resolution. This means recognising that something has happened, regretting the effect on people and resolving to put it right, with timescales attached wherever possible.
Be clear on what you need your stakeholders to do: Prompt and direct communications are crucial to managing a cyber security issue. Customers and stakeholders will not be reassured by vague messages, as this will not enable them to protect themselves adequately, and you risk turning an issue into a full blown crisis. Keep your messaging clear and concise and only ever deal in facts. Provide regular updates to reassure all audiences that you’re working hard to resolve the issue, ensuring the appropriate level of care and concern comes through in all communications.
Think about the channels you’re using to communicate with stakeholders: A cyber-attack is likely to require direct communications with consumers, customers and stakeholders, often containing important information about any necessary actions they need to take to ensure their own security. But the very channels an organisation might normally use to do this, such as email or website, may well be down following a cyber-attack. Alternatives will need to be found and quickly. Thinking through these realities during peace time will save you a huge amount of time and stress if such an issue does befall your company.
Don’t get caught in the blame game: It’s all too easy to try and pass the blame – don’t! It never looks good and will leave your publics under the impression that the situation is out of control and uncontained – not a good look. Instead, take responsibility for resolving the issue and remember that a well handled issue or crisis presents an opportunity to win new advocates and plaudits.
Talk to Finn: Based in Leeds, we have extensive experience of issues and crisis management, working with a variety of high profile, high risk organisations in the North of England, whether that’s successfully navigating a cyber-attacks and activist campaigns, or handling misconduct allegations or product recalls.
We’ll work with you to identify potential issues, build early warning systems and develop robust plans to help control and mitigate risks. And if the worst does happen, our award winning crisis experts will ensure your response doesn’t become the story, minimising impact and helping you to stay in control.
For more information on the services we offer, click here