Many recent high profile cybersecurity attacks and technology outages have left corporations around the globe scrambling. While technical teams are focussing on risks and vulnerabilities, wise organisations are taking a broader view and developing disaster plans for how they are going to communicate with the media and key stakeholders if a cybersecurity incident hits. It is too late to start planning how you will communicate when the glare of the media spotlight is on your organisation. 

Many organisations are caught in a reactive mode when they suffer a cybersecurity incident or technology outage. It is far better to be prepared and to anticipate risks that might attract media attention and unwanted scrutiny in advance than waiting for an issue to erupt and trying to respond and manage it as it's unfolding in the moment. It is no longer a matter of if, but when a cybersecurity incident will occur. 

Part of every organisation's preparation for significant incidents means planning and practicing how to handle the media spotlight during an incident and knowing who the relevant stakeholders are and how to communicate with them. You must be ready to handle media attention when a crisis is unfolding and have thought about how you’re going to communicate with your customers if all your systems are down.

Don’t react, be proactive 

How your organisation communicates with the media, customers, staff, shareholders, partners, suppliers, government and regulatory bodies during a cybersecurity crisis is key. Overcoming an incident is not just about resolving technical issues to get business systems and access up and running as quickly as possible. Failure to communicate effectively can impact the organisation long after the technical damage has been remedied. Protecting your brand and reputation and being ready to deal with the media must be part of your cybersecurity incident response plan.  

Many organisations are caught in a reactive mode when they suffer a cybersecurity incident. Typically, their incident response plans focus on resolving technical issues and neglect to factor the media and public interest, which can negatively impact corporate reputation and brand.  

Every organisation, regardless of its size, should develop and maintain a risk register. Each risk should be ranked according to its likelihood and impact with mitigation strategies and communications plans prioritised for any risk that is deemed to be high likelihood and high impact. This should include how to communicate with the media, customers, staff, partners, suppliers, employees, regulators and the government. 

Have communication strategies and draft materials ready  

Once you have identified which risks will need a communications strategy, you need to pinpoint who needs to know, who might find out, how each group should be communicated with and the timeline for communication. There may be different regulatory obligations for communicating to different stakeholders as an incident is unfolding and across different geographical locations.

For a cybersecurity incident, the risks fall into two main categories. The first is unauthorised access to sensitive data. When this happens, you need communications plans for customers, suppliers, business partners, and the media. Those plans need to include the language you intend to use and be drafted and ready, with minimal editing required, so you can move fast if required.  

In other incidents, such as a widespread ransomware breach or a Denial-of-Service attack, it’s possible that you will have limited access to your own systems. So, in addition to detailed communications plans and templates, you may need to think how you’ll be getting your messages out. Maintaining an offsite system that is ‘air gapped’ can ensure your ability to communicate with key stakeholders is not compromised.  

Prepare templates for all the different scenarios and audiences you may need to communicate about so you are not scrambling to do this while in the throes of incident response, slowing down your ability to keep people informed. Practise how you will communicate with your stakeholders and all affected parties as part of your incident response training and simulations. Include role-play media interviews in your technical simulations so your crisis team and spokesperson are well prepared.  

Language matters 

The language you use must be consistent regardless of who you are communicating with. While the impact on different stakeholders will vary, the basic facts about an incident will be the same. Avoid using emotive terms or embellishing in any way. For example, we often hear spokespeople use the term “sophisticated attack”. The reality is that very few attacks use tools that are considered sophisticated by cybersecurity professionals. Most attacks use established tools and methods and often exploit known vulnerabilities. Don’t speculate how an attack occurred and don’t jump to attribution. 

Only discuss facts that have been verified and keep the language accessible by avoiding technical terms. It can help to get expert assistance either from an in-house PR team or external agency that is skilled in understanding cybersecurity response and can work alongside your technical team to mitigate the risk of unclear communications that might exacerbate the incident and affect stakeholder trust in your ability to remediate quickly. They should have experience in knowing the likely questions the media will ask and help you be prepared and ensure spokespeople are well trained to handle any scenario.  

Successful cybersecurity incident management is about more than your technical response. How you communicate with customers, employees, shareholders and the media is key to mitigating fallout and how quickly your brand can rebound from the incident. Anticipate the types of attacks you might be subject to, determine who you need to communicate with and how you’ll reach them, and have templates prepared that avoid emotive language. Practise your plans regularly and be ready at short notice to execute them if needed.  

A well-managed crisis doesn’t have to be the end of a business or the death of a brand. It can be an opportunity to communicate, fix problems and emerge wiser and stronger.