With the growing threat and prevalence of cyber attacks, it’s critical that companies have effective communications hard-wired into their crisis plan. Layer on the risk of increased exposure with dispersed workforces and greater regulatory scrutiny, and companies are under tremendous pressure to handle these threats in a timely manner.
Recently on White Swan: The Crisis Podcast, we spoke with Dr. Jessica Barker, a leading U.K. cyber security consultant, who advises institutions and individuals on how to keep their information safe in an increasingly virtual world. She is a sought-after cyber expert and media commentator, and we were thrilled she could join us to share her perspectives about the importance of human behaviour when implementing operational changes, particularly cyber security.
Internal communications or the too often forgotten aspect of crisis management
Dr. Barker observed that internal communications are often ignored in a crisis, which can be detrimental to a corporate response and put a company’s reputation at risk.
Ignoring the importance of internal communications in your cyber security plan could be a fatal flaw in your company’s response to a cyber attack. During a crisis, employees can be your greatest assets and allies. As your brand ambassadors, employees who feel connected to your organization, vision, and purpose will be more productive, loyal, customer-focused, and go above and beyond what is asked of them. Often employees are the face and voice of your organization and keeping them engaged and informed helps ensure this trusted source remains loyal, true, and supportive of your organization as you navigate the challenges and frustrations that often come with a cyber attack.
Effective communications planning for a cyber attack requires careful thought and consideration for stakeholder relations and engagement. This includes mapping priority audiences, understanding their perspectives, what information they need to receive, and the best channels and approaches to share information. As part of this planning process, I will typically advocate for what I call an inside-out approach to communications, which means that any time you are communicating externally, you should first communicate internally to employees.
With this approach, you are first sharing information internally among employees and priority stakeholders to ensure they are aware of information that could impact them, or they might hear about it in the media or online. By making sure they hear it from you first, you can frame and control the narrative, and establish your company as the trusted source of information about the incident. Also, this is an opportunity to increase awareness of any employee resources, information, or actions they may need to take because of the incident. Organizations that are communicating effectively in a cyber attack understand that engaged and informed employees are a critically important stakeholder and audience in a crisis.
The importance of carefully balancing your reactions
Another key insight shared by Dr. Barker is the importance of reacting, but not overreacting in a cyber attack. She reiterated that it is important for a company to exercise good judgment and that must be applied for every crisis.
Every crisis does take some level of judgment based on situational analysis—often balancing diverse perspectives and public relations (reputation) and legal advice (risk). There is a natural tension that occurs when a company is navigating the complexities of a cyber attack between understanding your legal and regulatory obligations and wanting to communicate in a timely manner to key audiences. Determining your communications strategy is a fine balance that requires understanding your regulatory obligations and risks and assessing the level of audience impact based on your investigation into the cyber attack. These investigations can take time, sometimes weeks and months, before getting a clear understanding of the data compromised in the attack. Precious time that often increases the urge of a company to act, which must be balanced with communicating too soon and before the facts of the matter are truly understood.
When it comes to proactively communicating and disclosing that your company has been the victim of a cyber attack, I am a big believer in “right-sizing” your approach and communicating based on the acuity of the situation. In this context, acuity is the velocity (how quickly the issue is moving and awareness is growing) and influence (who is weighing into the conversations or level of awareness of the issue—for example, are national news outlet reporting the attack, or has a high-profile cabinet minister commented on the situation). Generally, if there is low awareness and risk, I will advise communicating based on the level of impact with targeted direct-to-stakeholder notifications. If there is greater awareness, risk, and impact of the attack, this will broaden the scope of your communications. This decision process requires judgment and skill to right size your communications approach to the situation you are facing.
Cyber security is somewhat unique in that if you have a privacy breach there may be formal notifications required as part of regulatory or contractual obligations. This is why it is so important to consult with insurance and legal counsel to determine your risks and obligations. From a communications perspective, this will typically involve direct stakeholder communications based on impact and data compromised, effective social and media relations strategies, and being thoughtful and timely in your communications.
NATIONAL works with an integrated team of leading cyber security experts, including legal, insurance and cyber security, to advise clients of the best approach to managing a cyber attack. Click here to speak with an expert of our cyber security team.
For more information, visit White Swan: The Crisis Podcast where each episode features an in-depth conversation with a senior figure from the world of business, who tell us about their crisis experiences and give you the lessons you need to hear.