Take urgent action now to build an effective cyberattack crisis communications plan
Cyber-attacks are no longer outlier events. In fact, the old saying of “it’s not if – but when” has sadly proven true for many organisations. For this reason many organisations are now heavily focused on planning and preparing for a cyber-attack and increasing their levels of resilience, response and redundancy to enable them to survive.
A crucial part of handling a cyber-attack is the communications strategy employed by your organisation. So, if starting or updating your crisis communications playbook isn’t on your resilience to-do list it should be.
Crisis communications is getting more difficult. Communicating effectively with a workforce that is more hybrid than “on prem” is harder to manage securely, and this is further complicated by the sensitive, disruptive and usually rapidly evolving nature of a cyber-attack.
As I always say, it is crucial that we plan and prepare what we can NOW. This will free up crucial resources and bandwidth in the event of a crisis that will be very welcome.
So, let’s take a look at the crucial elements of planning for cyber crisis communications.
When considering a crisis communications playbook, or developing an existing one, the first step is to list out the stakeholders to whom you may need to communicate. This will vary by industry and organisation, but usually this will include employees, contractors, partners, your supply chain, customers, regulators, shareholders, insurers and the press. Make a list of all these different stakeholders and the preferred mode of communication for each of them. For example, a regulator may require you to complete an online form or actually pick up the phone. Can you communicate with clients through alternative channels if your email system is not accessible? Who would need to contact your suppliers and how do you do this?
Next to stakeholder on the list note when you have to contact them. For some that may be at your discretion, but with regulators, insurers and some clients (depending on the agreements you have in place) that may be prescribed.
Even if you get no further than this stage in the crisis communications planning process you will have a good list of who to contact, when and how.
Make sure security are working closely with the communications team. Comms will undoubtedly take the lead but will likely need clarification on the impact and consequences of various cyber-attacks.
Understand the communications decision-making process
In most organisations you will want to ensure that a senior communications person is on the Crisis Management Team (CMT) or “Gold Team”. The Gold Team is the strategic decision-making team in a crisis. read our article here on the Gold/ Silver /Bronze structure. You will also want to ensure that each member has a nominated deputy who would step into this role in case they are unavailable. Other members of the CMT or Gold Team include HR, Legal, Cyber Security, Compliance and Operations, each of whom will influence communications output depending on what impact is being felt in their business areas.
The main communications strategy and message will come down from the CMT. The tactical delivery of that message to stakeholders is decided by the Silver Team or other second tier leaders, depending on the organisation. This tactical delivery will include making decisions on the method of communication, the prioritisation of clients or suppliers, and running “town halls” with employees.
You may wish to consider investing in media training for anyone who may be expected to speak to journalists, as this is a skill that most people need training and support to execute effectively.
Review the communications channels
Another vital part of cyber crisis communication planning is conducting a review of the communications channels. I find this is a great objective to build into a cyber crisis exercise and most of the exercises we run find room for improvement here.
The unique nature of a cyber-attack, unlike say a fire or flood, is that you may well have lost access to email and other “tried and tested” communication channels.
For internal communications I always recommend having two backup channels, at least one of which needs to be “out of band”. This means a way of communicating that is totally independent of your network and infrastructure. A good combination is Teams/Google Meet/ Webex or whatever platform your organisation uses, combined with an instant messaging platform such as Signal or WhatsApp. Which platform you choose is up to you and your risk profile.
For external communication you need to consider how you would notify clients, suppliers and partners if all your usual and preferred methods of communication were inaccessible. Consider the resources that would be needed too. For instance, if you have 100,000 customers and you were to call each of them individually (and field incoming calls too) how many people would you need to draft into your call handling team to cope? Is this a realistic expectation?
Finally make sure you have up-to-date contact information for everyone you would need to contact in a crisis.
Building communications templates
The more you can prepare now the better. Comms templates are no exception. Pick a threat you think is either likely to manifest or would be particularly bad should it manifest and start there.
Let’s take ransomware as an example. A ransomware attack is likely to follow a pretty predictable trajectory so you can plan out a series of comms messages that can be tailored should the attack actually happen. You cannot just draft one statement for an ongoing attack. In a cyber-attack you will likely be putting out statements for days or even weeks. Plan a few escalating in severity starting from
“We are experiencing issues and are looking into it”
all the way up to
“We have been hit with a double extortion ransomware attack and everyone’s data is gone”.
Be transparent and honest but don’t overshare too soon. Make sure your messages reassure and also show empathy. Make sure you consider whether each statement is going out on the website, Twitter, Facebook, email or any other channel, and tailor the tone accordingly.
As a general rule I advise clients that once you tell one group of stakeholders you have to be prepared to tell them all. Things inevitably leak and what you definitely want to avoid is a situation where rumours start spreading. This means if you’re sure credit card data has been stolen, and you only tell your employees, I will bet within an hour your clients, regulators, suppliers and everyone else will have heard a version of this that may not be accurate nor mirror the narrative you want. If you tell one, tell them all.
Here are a few tips for consideration in your cyber crisis communications planning:
- Avoid saying too much too soon or too little too late.
- Post your message on social media but don’t waste critical time fighting with anyone and everyone who comments on the post.
- Include in your playbook a reminder to check and remove any BAU comms that were scheduled to go out should an attack occur. You definitely don’t want a social media post to go out bragging about how amazing you are when you have just had to announce an attack.
- Don’t overpromise and then fail to deliver, and don’t put out communications that blame anyone else.
- Ensure you also draft communications reminding employees not to talk to the press or post on social media.
- Ensure that everyone who may need to speak to the press or key stakeholders has received training on how to do this.
- Make sure your updates are frequent even if all they say is “there is no more news”. Everyone feels more reassured when they are kept up to date.
Rehearse your cyberattack crisis communications plan
Once your cyber communications plan and playbooks are in place, make sure your team has had practice in using them. The best way to do this is to run a cyber crisis exercise where both your strategic and tactical teams have to practice various elements of incident management including comms.