During an emergency, it’s essential for a comms team to understand the full facts and impacts of the crisis. If they don’t, they’ll be forever playing catch-up with the media and other stakeholders.
If the emergency is a hack, then problems can stack up right away as determining the facts of a cyber-attack can be tricky. A hack is not a one-off event; it is typically something sudden but thereafter incremental. How the comms team responds needs careful thought.
Once it’s been determined, presumably by IT security, that an attack is underway, internal comms is the most important first step. Before you think about communicating with external stakeholders let your staff know what’s going on.
Everyone in the organisation is going to have to work together to beat the cyber-threat so your staff will need to learn from you rather than the media about any new developments. Information sourced from the media is likely to be sensationalist, so employees need good dispassionate information from the comms team to maintain trust.
There are practical benefits too as if there is malware involved then staff need to be told to stop sending emails or using website messaging as this could spread the virus and put data at risk. They also need to be warned about clicking on any suspicious links contained in emails and elsewhere.
If the cyber-attack is particularly vicious it may be necessary to take down your email server. How will you then communicate with your staff? Do you have an emergency communication system at your disposal?
When it comes to external comms a speedy response is needed as it’s likely the attack is already on social media. If the story has broken, then release a holding statement setting out what you know, however, limited that may be, together with your key messages. This may be how customers can best protect themselves and what you are doing to address the problem.
Obviously, don’t speculate about what you don’t know. If you can confirm that no confidential data has been seized than do so, but only if you are absolutely sure. If data has been stolen then journalists and others will be asking whether the data was encrypted. You must have your answer ready.
With GDPR in place if you are subject to a data breach then the Information Commissioner’s Office must be informed within 72 hours. Data breaches should be reported if they ‘pose a risk to the rights and freedoms of natural living persons’. This generally refers to the possibility of financial loss, reputation damage or some form of discrimination.
Many organisations are now putting together cyber-playbooks setting out in specific terms how to tackle the cyber-menace. These typically include checklists, boilerplate press statements and practical steps to take in the event of a hack. This may well be something to consider if the threat of a cyber-attack is keeping you awake at night.
Jim is crisis management director at YUDU Sentinel. He designs and delivers crisis simulation exercises via the Sentinel app, writes crisis communication plans and media trains senior executives. He also presents monthly crisis management webinars. In another life, he was a journalist working at ABC News (US) where he covered stories including the Gulf War, the Bosnian conflict and the Concorde crash. He won two Emmys for his work.