[BreachExchange] Cybersecurity crisis communication: How to do it well

[Destry Winant]

https://www.helpnetsecurity.com/2019/07/02/cybersecurity-crisis-communication/

Riviera Beach is one of the several cities and towns in Florida which
have recently been hit with ransomware. Its local government, like
that of Lake City before it, decided to pay the ransom demanded by the
attackers to get their files decrypted.

They have also chosen to hire “an experienced crisis communications
manager” and have been telling journalists to direct all questions
regarding the incident to that public relations firm.

So, what does crisis communications management usually entail?

Preparing for a crisis

Paula Averley, owner and principal consultant at cybersecurity PR
agency Origin Communications, says that companies should always be
prepared for potential crises, and that the first step of defining a
crisis management strategy should be to undestand what a crisis could
be within your specific organization.

Next: you’ll need to identify a crisis comms committee – a group of
people working across the business who will be responsible for the
strategy and for seeing it through.

“The crisis communications plan should include a detailed incident
response plan, which addresses each type of data breach the business
might face, setting out everything you’ll do at each phase, i.e.,
pre-crisis, during and post-crisis. It also needs to include the
details of the committee, responsibilities for each member and their
contact details,” she notes.

The to-do list also includes:

- Appointing expert spokespeople in every region the business operates
in (to avoid issues with timezones) and setting up media training so
they’re ready to be interviewed
- Identifying the audiences you need to communicate with – including
employees, shareholders, stakeholders, the public, partners and the
media – and determine what the needs of each will be in the event of a
crisis.

Your first priority should be those directly affected, but during the
crisis you’ll need to communicate with all of your audiences, from
when the crisis starts to when it ends, she notes.

“Be factual, be truthful, communicate clearly and empathetically with
the people affected. Be open and transparent. If you’re still working
out what’s happened and you’re not quite ready to give a detailed
response, say so. Prepare a holding statement for each audience and
keep updating them as you learn more details.”

Finally, she recommends roleplaying what would happen if a breach
occurred, in order to test and rehearse your plans.

“Don’t assume you’re sufficiently prepared to handle a crisis. It
often demands more groundwork than you realise, and an elementary
crisis plan and generic messaging will not be enough,” she adds.

“Don’t forget internal communication. Employees across the
organization will be instrumental in managing and communicating about
the crisis, so build them into your plan. Your approach might include
in-person meetings, the intranet and emails.”

During the crisis

One of the challenges in tackling a crisis is to ensure that the
notification of the crisis and its management is communicated
internally through the right channels and via the crisis comms
committee – before rumour, incorrect information or negative reactions
start to do the rounds within the business.

If a breach happened, determine how it happened: it’s important to
know whether there was any failure on the part of the organization,
either due to a lack of control in its systems, processes, policies or
technology.

“Establish exactly who was affected, and how – what data has been
exposed, and what could the impact of this be? What do you need to
tell those audiences, and which channels will you use? If personally
identifiable information (PII) was involved, you’ll be subject to the
reporting requirements set out in the GDPRframework. The biggest
challenge will be the need to notify the regulators and those affected
quickly, but also be accurate in the information you convey,” Averley
points out.

She also warns against keeping mum and hoping that the media won’t be
interested in what happened.

“You don’t want to be caught on the back foot if the media does run
with the story; this will only make the situation worse. Being vague
or silent will make you look shifty and dishonest, which will damage
customer trust and the reputation of your brand – maybe irreversibly,”
she says.

“Also, be ready to accept responsibility for any part your
organization has played in what happened. If you need to apologize, do
so. Explain what you’re doing about the cause of the crisis, then
again, explain how you’ve remedied the situation and the measures put
in place to prevent it happening again. Show evidence of this. Provide
a ‘call to action’, e.g., a support page on your website and a help
line.”

When dealing with media enquiries:

- Brief your expert spokespeople fully and provide them with as much
information as possible, not only about the crisis, but about the
media that are interested in speaking to them and the kinds of
questions they are likely to ask.
- Don’t be tempted to answer questions or agree to an interview before
you know the facts.
- Don’t say ‘no comment’ or try to hide away. That will only send the
wrong message.

“Journalists ask tough questions because it’s their job to hold you to
account on behalf of their readers and viewers. If you don’t prepare
by training and practicing in how to answer challenging questions you
won’t feel confident when it comes to the crunch, and this will come
across – making you look cagey and ineffectual,” she adds.

After the crisis

The event that has precipitated the crisis is getting distant in your
rearview mirror, but you still need to communicate with all of your
audiences, to reassure them and to demonstrate that the remedies and
prevention measures you’ve put in place are working.

“Show that you’ve learned from the experience, and if you’ve made
changes – for example in your cybersecurity process – describe exactly
what these are. Lastly, as well as considering what went wrong,
consider what went well and tell the media, your customers and other
stakeholders about this too.

Post-crisis, you should keep in touch both with the media and your
different audiences to rebuild the relationship and trust. If you’ve
handled the crisis well, there should be latent trust and credibility
that you can build on.

“Don’t go overboard trying to impress them or ‘woo them back’, but
continue to communicate regularly, as you did before the breach, about
your news and developments,” she advises, and points to Norsk Hydro as
great example of how to respond to a (cybersecurity) crisis.

“Norsk Hydro handled its recent crisis in a competent and transparent
way, which suggests it had a solid response plan in place prior to the
event. In particular, it made sure communication continued well after
the event, and demonstrated how its employees rallied and worked
together to respond to the attack, which indicates that the
organization communicated well internally as well as externally.”