The threat of cyberattacks on US businesses, nonprofits and public agencies has never been greater in the wake of the rocky Russian invasion of Ukraine, China’s unending thirst for US technology and a growing global band of cyber-bandits.
It’s definitely time to update your crisis plan.
A good first step is to upgrade cyber security to protect against known cyber vulnerabilities. The Biden administration urges using multi-factor authentication, changing passwords, backing up and encrypting data and educating employees on how to avoid falling prey to cyber-predator phishing trip. Go to school on the kinds of cyberattacks that are most likely to victimize your type of organization. Cyber-punks and Russian trolls pose different crisis threats with potentially different goals.
It’s equally important to update crisis communications plans with a cyberattack crisis scenario. Review and identify the most likely crisis-triggers for your type of organization. Communicating when facing a cyberattack has unique challenges, not the least of which is having the cyber-attacker monitoring what you say and who you say it to. Since cyberattacks are crimes and federal officials discourage ransom payments, crisis communicators have additional law enforcement bases to touch and points of view to consider.
Like most crises, cyberattacks don’t come with warnings. The crisis can begin when a cyber-attacker is trying to break in, not just after he is inside. Like all crises, you won’t have control. And you won’t have time to spare to respond.
A cyberattack crisis plan scenario should include:
- The crisis team that should be assembled, including IT personnel and someone with experience dealing with cyberattacks.
- A predetermined and properly equipped offsite or off-line location to manage communications outside earshot of the cyber intruder.
- Advance media training for the designated spokesperson, who must be well-grounded in the details of this kind of attack, the nature of the crisis it causes and the most advisable approach to messaging about the cyberattack.
- An alternative method to communicate with internal audiences who may not have computer or phone access through normal organizational channels.
- A list of federal, state and local law enforcement and regulatory authorities who must be alerted and kept informed.
- Identify what other organizations with links to you could be infected through a cyber-breach.
- A backgrounder that describes the organization’s cyber security defenses. This may not be for wide distribution, but only shared on a confidential basis with news media to blunt questions about adequate defensive measures.
- A separate backgrounder on potential third parties that could be affected by a cyber breach and should be contacted directly.
Don’t waste time wordsmithing generic “placeholder” statements. Cyberattacks are as unique as they are unpredictable. React quickly with confidence, based on advance preparation, and speak to the moment.
Crisis scenarios aren’t hard and fast to-dos. They are guides and structures for dialogue on how a specific type of crisis might be triggered and how it should be addressed.
Don’t waste time wordsmithing generic “placeholder” statements. Cyberattacks are as unique as they are unpredictable. React quickly with confidence, based on advance preparation, and speak to the moment. A better use of time is rehearsing a response to a cyberattack, which can expose weaknesses and validate approaches.
When the crisis is over, take time to evaluate your response. The review can reveal weaknesses and strengths that bear on responding to – or preventing – other crisis scenarios. Plus, cyberattacks can have nasty echoes, and they aren’t always one-and-done events. Learn from a crisis how to prevent the next one or deal with it more effectively.