A cyber-attack has long been up there as one of the top ten potential crises keeping senior leaders awake at night. And we know how much more prevalent such attacks have become, even if we don’t always hear about them.
As former Cisco CEO John Chambers is reported to have said: “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”
The risks of a cyber-attack have been heightened by a shortage of qualified professionals working in cyber security and the resulting increased competition for the services of those that do exist. Governance and legislation are also still evolving in the area.
There is a further reason to prepare for this type of crisis that has come out of the current conflict between Russia and the Ukraine. Governments and regulators warned from the start of the conflict that the risk of organisations and companies getting caught up in this geo-political crisis by falling victim to a cyber-attack from a hostile state must be prepared for.
In a cyber-attack, the organisation should be seen as more of the victim than the villain, but poor communication will see that framing change very quickly indeed.
Chris Tucker
Common cyber-attacks
Just a few moments desk research reveals the variety of cyber-attacks that could paralyse your organisation’s ability to function. We are mostly going to confine ourselves here to the crisis communications issues around a cyber-attack, but it might help to know at least at a very high level some of the terminology to watch out for.
The most common cyber-attacks fall under the category of malware which is when a piece of malicious software is inserted into a system through some sort of vulnerability perhaps when someone clicks on a dangerous link or attachment.
Once the malicious software is there, it can block access to parts of the system and often become a ransomware attack where those responsible demand money to restore the service. Malware can also wipe out files completely or without the organisation’s knowledge transmit data to a third party.
A Denial-of-Service attack occurs because of the system being flooded with traffic taking up bandwidth and making it impossible for normal business to be transacted.
Even attempts to ensure better cyber-security can open organisations up to increased risk. A Zero-day Exploit attack results when software companies alert clients to an issue that needs to be fixed. Unfortunately, the ‘bad actors’ then try their luck to find an organisation that has not yet instituted the fix.
By now you should be realising it is time to talk to your IT people and find out a little more about their processes around protecting the organisation, spotting any issues, and then escalating them when needed to allow a crisis management process to begin as soon as possible.
There is also a role for communications in helping to prevent a cyber-attack by ensuring employees are aware of good IT hygiene. Campaigns around the need to change passwords, to avoid clicking on emails from unrecognised sources, backing up data and taking care with mobile phone apps are important principles.
When a cyber-attack crisis hits
If your organisation does fall victim to a cyber-attack, what should happen next?
A cyber-attack is a crisis that comes with a clear course of action towards at least one regulator: the Information Commissioner’s Office (ICO.) Any compromise of cyber security that involves a breach of personal data must be reported to the ICO within 72 hours, earlier if possible. Certainly, if the breach threatens individuals’ rights and freedoms then it must be reported immediately.
You may not know all the details within that time frame, but you are obligated to tell the ICO what you do know and can then come back with more information as and when it becomes available.
The ICO may go on to share what you have told them with any other relevant crime prevention or regulatory body such as the National Cyber Security Centre, the National Crime Agency or the Financial Conduct Authority.
The ICO is therefore a crucial stakeholder in any cyber-attack. Thinking stakeholders, messages and vehicles is a useful way to order the crisis communication response.
The key stakeholder group in a cyber-attack – as with any crisis – is the victims. If your particular cyber-attack involves the compromise of personal data from say clients or customers, you need to put them and their needs at the heart of your communication process.
Other important stakeholder groups will include your employees who may find themselves on the end of questions from clients and others and need to know what the correct response should be. Think also of your regulators, and even suppliers (include your bankers there as they should be able to advise if financial data has been compromised.)
Messaging
In terms of the messaging classic crisis communication advice is around instructing information, adjusting information and reputation repair.
The first part is about making sure victims in particular know exactly what they need to do, for example, do they need to check their bank statements or change their passwords. Adjusting information is when the organisation seeks to put what has happened into some sort of context. This is the psychological element of crisis communication messaging and should be designed to answer the question: how worried should I as an individual be?
Finally, in terms of reputation repair this is an opportunity for the organisation to give the correct response that demonstrates concern for the victims and point to what it is doing to put the situation right.
Channel
The next step is to work out how to get these messages to the right stakeholder groups. Ideally, this should involve a communication channel audit done well before any crisis hits. Large organisations are often surprised by quite how many owned channels they actually have. In a crisis, all these channels need to be consistent in what they say and all need to be monitored to ensure messaging is landing appropriately and can be revised if it is not telling stakeholders what they need to know and updated as new information becomes available.
For social media as part of your planning for a cyber-attack think how you would respond to posts on various channels. When would you engage; not engage; refer on?
For mainstream media, the big question is always when to go public? As ever, the concern is around too soon, and you may cause unnecessary concern when you don’t have all the answers but too late will leave you facing accusations of trying to hide what has happened and in some instances, not enabling your clients or customers the chance to protect themselves against the misuse of their data.
This is the sort of judgement PR professionals are being paid to give, but putting yourselves in the shoes of the victims and what they would expect you to do usually helps. In a cyber-attack, the organisation should be seen as more of the victim than the villain, but poor communication will see that framing change very quickly indeed.
Author: Chris Tucker
Image credit: Gerd Altmann at Pixabay
Discover more from
Subscribe to get the latest posts sent to your email.