As evidenced in recent years by the 2020 SolarWinds attack, the 2021 Colonial Pipeline ransomware attack, and an overall 105% increase in ransomware attacks last year alone, cybercrime is on the rise and evolving. It is no longer an “if” occurrence, but a “when.” Companies, of any size, should be prepared.
Beyond implementing necessary technical and risk mitigation efforts, a comprehensive communications strategy is critical to business resilience and security in the event of a cyberattack. Not only does effective communication support immediate crisis needs, it can also mitigate long-term reputational damage.
Here are a few communications best practices to consider when preparing for and managing through a cyberattack:
1. Analyze the situation.
Not all attacks require the same level of response. Take the time to understand what happened before communicating, as it will greatly impact the volume and level of communications necessary. First and foremost, while it is often hard to tell if sensitive information was “taken” or merely “seen” by cybercriminals, if there is evidence of the former, a more urgent and aggressive communications posture could be necessary. Additionally, a data breach in which personal health information (PHI) or personal identification information (PII) are accessed, such as the 2015 Anthem Healthcare breach, represents a serious breach of information and poses a substantial threat to the company, its partners and users. After discovering the attack and launching an investigation, the hospital took one week to gather the necessary information and develop a suite of materials, including a holding statement, landing page with FAQs and a hotline for users, to address the situation. Alternatively, a ransomware attack in which a small volume of historic documents with no PHI or PII are taken hostage represents a much less meaningful threat to a company’s users and future reputation. In that case, after confirming attackers did not access PHI or PII, the company can move forward with developing and delivering a more targeted set of communications materials.
2. Work with an established crisis team.
Ideally, prior to any breach, security leaders will already have a clearly defined and cross-functional team in place, including personnel from communications, legal and information technology (IT) departments. Each department or individual will need to have ownership of unique responsibilities in the event of an issue. For instance, one significant role for counsel will be to escalate and ensure proper disclosure to federal and/or state authorities and to ensure compliance with the most restrictive state laws, a step required for nearly all cyber threat incidents.
3. Consider the internal and external stakeholders.
Victims of an attack (e.g., users, vendors, partners, employees, etc.) will certainly be the primary audience initially. If not a direct victim, employees also represent a key secondary stakeholder group, as they can be one of the entry points attackers use to access a system. With any of these groups, security will need to share the facts of a cyberattack and any pending investigations as they become available, as well as be prepared to respond with questions related to present and future impact.
4. Be mindful of post-crisis communications.
Unfortunately, crime sometimes begets crime. After a cyberattack occurs, especially if that attack impacts a large number of individuals, victims can fall prey to additional scamming attempts. Phishing emails come through with information about credit monitoring services, or victims receive phone calls with “urgent” news about the attack that requires a credit card number. It leaves victims feeling continually vulnerable, and therefore, companies must ensure they are explicit, repetitive and empathetic in how they communicate with those impacted.
5. Have a plan in place before the crisis hits, but also learn and reevaluate.
Before the crisis occurs, audit the organization’s risk profile and potential areas of vulnerability, analyze audiences, map out situational language, identify key decision-makers and spokespeople. All of these steps will ensure that when the fire hits, communications materials are founded in a clear, well-thought-out strategy. But every situation is unique. Following the issue, be sure to re-evaluate the plan. Were the communications tools effective at clearly informing victims of the details of the situation? If the attack resulted from an employee clicking on the wrong email link, what new trainings need to be implemented? Greater awareness of the vulnerabilities of a strategy will only help in strengthening the plan for future inevitable issues.
It's clear that cyberattacks are only going to increase. Even if a company is prepared technologically against a threat, is it prepared to communicate effectively? Assessing vulnerabilities and putting a communications response plan together are the key initial first steps. They could all make the difference in ensuring a company’s reputation is seen as responsible, trustworthy and supportive when an attack comes.