Crises are getting harder to avoid. Cyberattacks are a new threat that can afflict almost any organization whether private, nonprofit or public. Competent crisis preparation now must include cyberattack crisis scenarios.
Cyberattacks have grown more sophisticated, targeted and frequent. It won’t be enough for a crisis plan to list cyberattacks as a possible vulnerability. Crisis planners must anticipate a range of cyberattacks, their sources and their potential impacts.
Crisis communications about a cyberattack has unique aspects that should be addressed in a crisis plan. “There’s a compliance aspect to communicating during a cyberattack that isn’t necessarily present during other types of crises,” explains Ted Birkhahn, co-founder and president of Hot Paper Lantern, in a story posted by ragan.com. “There are reporting requirements that companies are mandated by state and federal entities to report.” Reporting requirements, Birkhahn adds, may occur before an organization is ready to respond publicly, increasing the time pressure on crisis response.
Other unique dimensions of cyberattack crisis response include disrupted internal and external communications and ransom negotiations. Unlike responding to an environmental spill, a crisis response to a cyberattack must consider a unique audience – the hackers in control of a database or sensitive operations. “The last thing you want to do,” Birkhahn warns,” is say something publicly that is going to tip them off or fuel the fire that instigates them to take additional steps.”
Birkhahn advises cyberattack crisis responders should work hand-in-glove with IT and legal professionals in real-time to know what to say and when to say it. “What you say publicly to any stakeholder, whether it’s internally or externally, could impact the outcome of the attack,” he says.
Yet another unique aspect of cyberattack crisis response is explaining a ransom payment and longer-term data breaches. Birkhahn says company officials may be embarrassed to admit paying a ransom or reluctant to identify post-attack consequences, especially to customers or stakeholders. There is pressure from federal officials who say paying ransoms encourages more cyberattacks. It’s tricky crisis response terrain, where general crisis communications rules may not always apply.
Crisis preparation for a cyberattack should parallel preparation for any kind of crisis. Advance planning, creating specific crisis scenarios and identifying go-to resources are critical to any timely, effective crisis response.
Responding to a cyberattack creates unique crisis response dynamics. First, cyberthieves may have control of your communications system. Second, you must report incidents to state and federal authorities. Third, your crisis response will be monitored by the people who attacked your system and could retaliate. Fourth, you may need to explain why you paid a ransom.
Advance planning should include selecting a crisis response team and designating a team leader, who needs to be well-versed in operations and the details of responding to different types of crises. An important detail is mastering the elements of a cyberattack and knowing how to communicate with IT experts who deal with the attack.
Issue audits should automatically address the possibility of cyberattacks, even if organizational leaders are skeptical their enterprise could be a target. Cybercriminals aren’t all alike. Some go for big paydays, while others nibble for crumbs or just want databases to exploit. In all cases, the disruption can be just as severe, painful and damaging to a reputation. Because cyberattacks and their triggers aren’t universally the same, some organizations may need to identify and address multiple cyberattack crisis scenarios.
All crisis plans, including for cyberattacks, should contain guidelines for incident response, stakeholder notification and employee communication. Placeholder statements are mostly placebos, so spend your energy on identifying the resources to draw on for support if a cyberattack occurs. Knowing how to reach and leverage relevant, go-to resources is one of the best uses of time in crisis preparation because it can save precious time when responding to a crisis. Preparing easy-to-share content that is informative, relevant, reassuring and honest for stakeholders, employees and the media is another valuable time-saver.
It’s also important to anticipate how to communicate if your organization’s communications hub is compromised or being held hostage. “How do I move information mostly into a cloud-based environment where it wouldn’t necessarily be affected by an attack,” Birkhahn says.
Choosing a spokesperson to respond to a cyberattack requires careful forethought. The gravity of the attack may suggest the CEO. However, cyberattacks attract more than the usual news outlets that bring a deeper knowledge of cyberwarfare and potential consequences. That argues for a spokesperson with at least some IT background or fluency. Whoever is assigned the role should undergo rigorous media training that sharpens his or her ability to deliver a message that informs, while not inflaming an ongoing crisis.
The crisis spokesperson should be a central part of the crisis team, not just someone at the end of the table who is asked to stand in front of a battery of cameras and read a statement. At best, the spokesperson should be the voice in the room pushing for an earnest, empathetic crisis response within the bounds of what can be said safely at any given time.
Heed Birkhahn’s concluding advice. “It doesn’t matter what industry you work in. It affects organizations across the board.”