Written by Anthony Caruana and Kathryn Van Kuyk, co-CEOs, Media-Wize.
Not all media attention is wanted. Over the last few months we’ve seen a number of major companies including Medibank, Optus, The Good Guys, Bunnings and Kmart all receive the unwanted glare of the media spotlight because of issues with cybersecurity and how they handle customer information.
Many businesses are caught in a reactive mode when they suffer a cybersecurity incident. Typically, their incident response plans focus on resolving technical issues in order to get business systems and access up and running as quickly as possible. But those plans often neglect to factor the media and public interest, which can negatively impact the corporate reputation and brand.
How your organisation communicates to customers, shareholders and the market are critical and can impact the company long after the technical damage has been remedied. Protecting your brand and reputation and being ready to deal with the media when a crisis is unfolding needs to be part of your cyber incident response plan.
Start with your risk register
Every business, regardless of its size, should develop and maintain a risk register. Each risk should be ranked according to its likelihood and impact with mitigation strategies and communications plans prioritised for any risk that is deemed to be high likelihood and/or high impact. This should include how to communicate with the media, customers, partners, suppliers, employees, regulators and the government.
Communication plans
Once you have identified which risks will need a communications plan, you need to determine who needs to know, who might find out, and how each group should be communicated with and how quickly this needs to be done.
For a cybersecurity incident, the risks fall into two main categories. The first is unauthorised access to sensitive data. When this happens you need communications plans for customers, suppliers, business partners, and the media. Those plans need to include the language you intend to use and be drafted and ready, with minimal editing required, so you can move fast if required.
In other incidents, such as a widespread ransomware breach or a Denial of Service attack, it’s possible that you will have limited access to your own systems. So, in addition to detailed communications plans and templates, you may need to think how you’ll be getting your messages out. Maintaining an offsite system that is ‘air gapped’ can ensure your ability to communicate with key stakeholders is not compromised.
The words you use matter
The language you use must be consistent regardless of who you are communicating to. While the impact on different stakeholders will vary, the basic facts about an incident will be the same.
Avoid using emotive terms or embellishing in any way. For example, we often hear spokespeople use the term “sophisticated attack”. The reality is that very few attacks use tools that are considered sophisticated by cybersecurity professionals. Most attacks use established tools and methods and often exploit known vulnerabilities.
Don’t speculate how an attack occurred and don’t jump to attribution. Only discuss facts that have been verified and keep the language accessible by avoiding technical terms.
Be prepared
The successful management of any cybersecurity incident starts well before the breach or attack. Using your risk register, list all the different types of incidents you might be subjected to. Determine who will need to be informed for each incident and how they will be contacted, noting that you may need to have a communication system in place that is not reliant on access to your own systems.
Prepare templates for all the different audiences and messages you need to communicate so you are not scrambling to do this while in the throes of incident response. Practise how you will communicate with your stakeholders and all affected parties as part of your incident response training and simulations.
It can help to get expert assistance either from an in-house PR team or external agency that is skilled in understanding cybersecurity response and can work alongside your technical team to mitigate risks and close communication vulnerabilities before they happen. They should have experience in knowing what the media will want and help you be prepared and ensure spokespeople are well trained to handle likely scenarios.
Successful cybersecurity incident management is about more than your technical response. How you communicate with customers, employees, shareholders and the media will impact your organisation’s reputation and brand. Anticipate the types of attacks you might be subject to, determine who you need to communicate with and how you’ll reach them, and have templates prepared that avoid emotive language, don’t speculate or embellish, and stick to the facts. Practise your plans and be ready at short notice to execute them if needed.