[BreachExchange] Five tips to ensure your crisis comms plan is ready for a cyber attack

[Sophia Kingsbury]

https://www.computerweekly.com/opinion/Five-tips-to-ensure-your-crisis-comms-plan-is-ready-for-a-cyber-attack

On 12 May 2021, the Biden administration unveiled an executive order to
improve the US’s cyber security defences. The approach is meant to “improve
its efforts to identify, deter, protect against, detect and respond to
these actions and actors”.

This is welcome news, but since then we have continued to witness
debilitating attacks, from JBS to Kaseya. Enterprises continue to face
existential threats from cyber attacks and now the board of directors and
the C-suite are left with this unavoidable reality: it’s not if, but when
your company will face a cyber attack.

And when confronted with that reality, the board and C-suite will quickly
realise that cyber attacks are quite different from other corporate crises
– necessitating a pragmatic and tailored approach to communicating with all
stakeholders when a breach occurs.

The most pressing questions that the board and other executives should be
asking themselves are:

   - In the event of a cyber attack, is the company ready to comply with
   regulatory reporting requirements?
   - Has it given thought to how it will communicate with affected
   stakeholders in the event that primary communications channels have been
   compromised in the breach?
   - How should the company respond publicly without further inciting the
   threat actors to wreak more havoc on it?

Below are five crisis communications tips that the board and C-suite should
consider when thinking about overall cyber security strategy.

1. Ensure a senior member of the communications team is part of the cyber
incident response team

Every company should have a cyber incident response team (CIRT, or
sometimes CSIRT) with a senior communications executive included. This will
help to build a bridge between IT, legal, the C-suite and outside partners,
and ensure that the communications team has timely access to accurate
information as the breach unfolds.

Having access is half the battle in a cyber-specific crisis and ensures
timely reviews and approvals of decisions and content necessary for the
team to communicate transparently internally and externally throughout the
event. If the CIRT does not have a formally defined role for a senior
communications person, the company’s communications response will suffer
greatly.

2. Don’t further incite threat actors with undisciplined communications

If you are a board member or part of the C-suite of a company that is in
the middle of a cyber attack – especially a ransomware attack that involves
ransom negotiations and stolen data – a top priority is ensuring that any
communication is measured and mindful of specific demands.

Any message, whether delivered via an email, a company spokesperson, social
media post or press release, must strike the right balance of addressing
stakeholders’ key concerns without further inciting the threat actors.

How or when the company communicates can influence ransom demands, the
length and severity of the attack and the release of stolen information
that can have major repercussions on the reputation of the business.
Thinking like a threat actor and knowing what will and won’t incite them
further is paramount.

3. Always stay on top of compliance and reporting requirements

It is critical that your chief communications officer is as well versed in
cyber security compliance and reporting requirements as your chief
compliance officer. From publicly traded to privately held firms across
nearly every industry, there are a range of reporting requirements to which
companies need to adhere that differ globally.

For example, the UK General Data Protection Regulation mandates that
organisations that have suffered a personal data breach that is “likely to
result in a high risk to the rights and freedoms of individuals”, those
concerned must be informed “directly and without undue delay”. Notifiable
incidents must also be disclosed to the Information Commissioner’s Office
within 72 hours.

Meanwhile, for those operating in the US, a publicly traded company is
bound by the Securities Exchange Commission to file a Form 8-K to “announce
major events that shareholders should know about”. Failure to do so can
result in fines and other punitive measures.

Other examples abound. For financial institutions, if it is determined that
customer information is misused or breached, they need to inform
regulators, under the auspices of the Gramm-Leach-Bliley Act, in a
specified timeframe. Similar conditions exist at state level.

For example, financial institutions based in New York that experience a
cyber attack must follow compliance protocols outlined in the New York
Department of Financial Services’ Cybersecurity Regulation.

4. Accuracy matters more than speed

Amid a cyber attack, a slow, ineffective response could prove disastrous
for a company’s reputation. Speed is important, but inaccurate and
incomplete information will cause more damage. If the crisis communications
infrastructure is already in place, combined with the appropriate legal,
compliance, operations and IT entities, your chances of communicating
accurately are better assured.

5. Establish a cloud-based communications system to reach stakeholders if
primary communications channels are disabled during a cyber attack

If you preside over a company that primarily uses email to communicate with
employees, customers or anyone, and email is down because of the cyber
attack, it is critical to have backup communications channels to
disseminate information quickly and effectively. Enterprises should
consider cloud-based platforms that foster one- and two-way communications
that can be turned live at a moment’s notice.

When the primary channels go dark, the company cannot afford the same fate
and must have back-up channels established, so it doesn’t miss a beat on
the communications front.

For the board and the C-suite, cyber attacks represent a fast-moving,
ruinous form of crisis that imperils brands and stakeholders. And while
general crisis communications principles have relevance, a cyber attack is
a wholly different beast.

The five tips outlined above will help to fortify a company’s crisis
communications plan for a cyber attack, but it must also be integrated with
a broader cyber security strategy. Without it, companies will imperil their
value, security and reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210802/cdd2e846/attachment.html>