I have just finished reading a report the like of which I never expected to read unless I worked for the organisation that had compiled it. Fortunately, you can read it too and I urge you to do so if you practice crisis communication or expect that one day when the worst happens to your organisation you will find yourself having to do so. I am going to summarise what I see as some of the main points and learnings.
In October of last year, the British Library was the victim, as so many organisations are nowadays, of a cyber-attack. The criminals responsible got away with 600GB of files, including personal data of Library users and employees. The gang demanded a ransom which the Library refused to pay (this is the UK’s national policy towards publicly-funded institutions.) The data was then put up for auction and finally dumped on the dark web.
Compromised data was not the full extent of the damage done. The attackers also encrypted data and systems and destroyed some servers. Whilst the Library has copies of its digital collections the attack has required the re-build of its IT infrastructure which is ongoing.
Whilst the Library premises remained open throughout the attack and its aftermath the services on offer were severely restricted for the first two months. Many staff were unable to perform significant parts of their roles or were forced to use manual work arounds. All pretty frustrating and costly as well as reputationally damaging.
So, what are the main lessons for crisis communicators?
There is a lot to learn when it comes to our own risk assessment. The first stage of any crisis communication plan involves defining what a crisis is for the organisation and what is likely to lead to one. For the British Library there were lessons to be learnt in terms of what it describes as a “complex technology estate.” As with many older organisations IT processes involved a number of different legacy systems patched together and this complexity increased the number of entry points for cyber attackers and hence the risk.
Interestingly the Library also identifies measures taken during Covid 19 as a contributory factor. Remote usage of the network expanded during the pandemic as employees worked from home. Now that remote working is so much a feature of most organisations this risk is worth us all checking out with our IT departments. The Library believes the most likely source of the attack is the compromise of “privileged account credentials” possibly via some kind of phishing attack or brute force where passwords are repeatedly tried against someone’s account.
The Library’s report on the attack details what I have always called the “press the red button moment” or how a crisis moves (hopefully quickly) up the chain of command enabling the organisation to react swiftly.
The first stage of any crisis communication plan involves defining what a crisis is for the organisation and what is likely to lead to one.
For the Library the “intrusion” was first identified at 7.35am when a member of the IT team could not access the Library’s network. By 9.15am the Library’s Crisis Management Plan had been invoked with the Gold Crisis Response Team convened at 10.00am by WhatsApp video call – email was no longer available due to the attack. Lesson: get that telephone number tree in place and WhatsApp or something like it ready to roll.
Stakeholder communications moved swiftly into action. As we know the Information Commissioner’s Office provides a statutory timeframe for communication to itself and to those impacted by a cyber-attack. The Library took a proactive response with both users and employees and purchased a credit monitoring and identity protection product for all employees and users, where appropriate, to provide reassurance in terms of their personal finances.
The report says that the British Library convened both its Gold and Silver committees. The UK emergency services and other organisations where there are major incidents, especially possible loss of life, use a Gold, Silver and Bronze approach. The British Library is not clear on the difference here between Gold and Silver but generally speaking Gold is where strategic decisions regarding the crisis are made, Silver is the tactical response side of the crisis and Bronze operational i.e. actually at the scene of the incident. Obviously, communications needs to be over all three.
In the report the Library says the Gold/Silver command structure “… superseded the Library’s normal management” which is interesting. Obviously, an organisation in crisis is going to be different but it is important to make sure day-to-day management still carries on otherwise it might not be long before another crisis erupts. This is one of the reasons why it is not always a good idea to have the CEO as the Chair of the Crisis Management Team.
In terms of those tactical communications, it clearly was not easy given that the Library’s website and intranet was out of action. This is common with a cyber-attack so there is a lesson here in terms of how your organisation would cope with such a situation. Instead, the Library’s social media channels were used and for staff cascades via email or WhatsApp were deployed.
One of the big changes I have seen over the years I have been in crisis communication is the recognition of the importance of employee communications in a crisis. Who are more credible commentators to family, friends, customers, and others on your crisis than your people?
One of the big changes I have seen over the years I have been in crisis communication is the recognition of the importance of employee communications in a crisis. Who are more credible commentators to family, friends, customers, and others on your crisis than your people? The Library says: “Our communications process ensured that staff always saw updated external communications… before the public, giving them the opportunity to digest the latest developments in advance of user queries.”
Once there was some stability the Library moved from Gold and Silver to Rebuild and Renew – classic resolving the crisis and learning the lessons mode. It is common for senior leaders in particular to want to get back to business as usual as soon as possible but if business as usual led to the crisis that may not be the best idea. As the Library says: “There is a risk that the desire to return to ‘business as usual’ as fast as possible will compromise the changes in technology, policy and culture that will be necessary to secure the Library for the future.” It is a fact that any organisation cyber-attacked successfully once will be a target again and the Library now has a workstream to prevent that happening.
You can read the British Library’s exemplary report here. Far too many crisis communication case studies are written by those who were not in the room. Far too many are “what went wrong” in terms of communication. It is so refreshing to read something so honest and thorough and from the horse’s mouth.
Author: Chris Tucker, Chair, CIPR Crisis Communications Network
Photo: Christina Hsu