The recent high profile cybersecurity attacks on Medibank and Optus, as well as several that have garnered less attention has left corporate Australia scrambling. While technical teams are focussing on risks and vulnerabilities, wise organisations are taking a broader view and developing disaster plans for how they are going to communicate with the media and key stakeholders if a crisis hits.
Many businesses are caught in a reactive mode when they suffer a cybersecurity incident.
It is far better to be prepared and to anticipate risks that might attract media attention and unwanted scrutiny in advance than waiting for an issue to erupt and trying to respond and manage it as it’s unfolding in the moment. In the current threat environment it is not a matter of if, but when an incident will occur.
Part of every organisation’s preparation for significant incidents means planning and practicing how to handle the media spotlight during an incident and knowing who the relevant stakeholders are and how to communicate with them. It’s too late to start thinking about how to handle media attention when a crisis is unfolding.
Don’t React – Be Proactive Now
How your business communicates to the media, customers, shareholders and the market during a cybersecurity incident is key. Overcoming a cybersecurity incident is not just about resolving technical issues to get business systems and access up and running as quickly as possible. Failure to communicate effectively can impact the company long after the technical damage has been remedied. Protecting your brand and reputation and being ready to deal with the media when a crisis is unfolding must be part of your cyber incident response plan.
Many businesses are caught in a reactive mode when they suffer a cybersecurity incident. Typically, their incident response plans focus on resolving technical issues and neglect to factor the media and public interest, which can negatively impact corporate reputation and brand.
Every business, regardless of its size, should develop and maintain a risk register. Each risk should be ranked according to its likelihood and impact with mitigation strategies and communications plans prioritised for any risk that is deemed to be high likelihood and/or high impact. This should include how to communicate with the media, customers, partners, suppliers, employees, regulators and the government.
Have Communication Strategies and Draft Materials Ready
Once you have identified which risks will need a communications strategy, you need to pinpoint who needs to know, who might find out, how each group should be communicated with and the timeline for communication. There may be different regulatory obligations for communicating to different stakeholders as an incident is unfolding.
For a cybersecurity incident, the risks fall into two main categories. The first is unauthorised access to sensitive data. When this happens you need communications plans for customers, suppliers, business partners, and the media. Those plans need to include the language you intend to use and be drafted and ready, with minimal editing required, so you can move fast if required.
In other incidents, such as a widespread ransomware breach or a Denial of Service attack, it’s possible that you will have limited access to your own systems. So, in addition to detailed communications plans and templates, you may need to think how you’ll be getting your messages out. Maintaining an offsite system that is ‘air gapped’ can ensure your ability to communicate with key stakeholders is not compromised.
Prepare templates for all the different scenarios and audiences you may need to communicate with so you are not scrambling to do this while in the throes of incident response, slowing down your response times. Practise how you will communicate with your stakeholders and all affected parties as part of your incident response training and simulations.
The language you use must be consistent regardless of who you are communicating with. While the impact on different stakeholders will vary, the basic facts about an incident will be the same. Avoid using emotive terms or embellishing in any way. For example, we often hear spokespeople use the term “sophisticated attack”. The reality is that very few attacks use tools that are considered sophisticated by cybersecurity professionals. Most attacks use established tools and methods and often exploit known vulnerabilities.
Don’t speculate how an attack occurred and don’t jump to attribution. Only discuss facts that have been verified and keep the language accessible by avoiding technical terms. It can help to get expert assistance either from an in-house PR team or external agency that is skilled in understanding cybersecurity response and can work alongside your technical team to mitigate the risk of unclear communications that might exacerbate the incident. They should have experience in knowing what the media will want and help you be prepared and ensure spokespeople are well trained to handle likely scenarios.
Successful cybersecurity incident management is about more than your technical response. How you communicate with customers, employees, shareholders and the media is key to mitigating fallout and how quickly your brand can rebound from the incident. Anticipate the types of attacks you might be subject to, determine who you need to communicate with and how you’ll reach them, and have templates prepared that avoid emotive language. Don’t speculate or embellish and stick to the facts. Practise your plans and be ready at short notice to execute them if needed.
A well-managed crisis doesn’t have to be the end of a business or the death of a brand. It can be an opportunity to communicate, fix problems and emerge wiser and stronger.