It is more crucial than ever for businesses, regardless of their size, to have a well-defined crisis communication plan in place to navigate the unexpected, including cyber attacks.
Following two years of high but stable loss activity, 2023 has seen a worrying resurgence in ransomware and extortion claims as the cyber threat landscape continues to evolve, Allianz Commercial has warned in a new report.
Hackers are increasingly targeting IT and physical supply chains, launching widespread cyber assaults, and devising innovative methods to extort money from companies, regardless of their size. Currently, the majority of ransomware attacks involve the theft of personal or sensitive business data with the intention of extortion. This not only raises the cost and complexity of such incidents but also heightens the potential for damage to a company’s reputation. According to Allianz Commercial’s analysis of significant cyber losses, there has been a continuous increase in the instances where data is exfiltrated, with the proportion doubling from 40% in 2019 to nearly 80% in 2022, and this trend is expected to further escalate in 2023.
Cybersecurity incidents can target any business, and with the continued prevalence of hybrid working, the need for effective crisis communication in the event of a cybersecurity incident has become increasingly pertinent.
According to the National Cyber Security Centre, a cyber security incident is considered to be any adverse event that threatens the confidentiality, integrity, authenticity or availability of a network or information system.
While organisations are well-versed in GDPR and have operational structures for handling data breaches, what is frequently overlooked are clear communication processes and how to effectively communicate incidents to stakeholders.
From data breaches and malware attacks to email phishing and ransomware, while the nature of cybersecurity incidents may vary, the same fundamental crisis communication principles apply. Here are some updated tips to ensure your communication strategy manages and minimises the fallout without exacerbating the situation.
‘Failing to prepare is to prepare to fail.’
You should always plan for the worst case scenario. An issue can occur at any time, from data breaches, employee issues and product/service failure to security problems and cyber-scares. Creating a cyber and data incident response plan can help minimise your reputational risk.
Prevention is the best cure. A clear plan is the first step in preparing for a crisis. Having a plan in place means you have a guideline for you and your team to follow, to manage the issue and minimise the risk. Your plan should include names and numbers of your crisis team, media statement templates and a list of relevant audiences to be communicated with.
Mind your stakeholders
In times of crisis, communicating with the media is critical but there are other audiences you need to consider.
- Trade unions
In cases of a personal data breach, according to the Data Protection Commission (DPC), controllers are obliged to communicate to the data subject a personal data breach, ‘without undue delay’, where that personal data breach is ‘likely to result in a high risk to the rights and freedoms of the natural person’.
However, often it is not just “high risk” cases that need to be communicated to stakeholders. Depending on the situation, regardless of the risk level, it can be best practice to let your stakeholders know what has occurred and that you are dealing with it promptly.
Ensure your crisis plan has relevant names and contact details for your stakeholders. This will ensure you can communicate with them in a timely matter, should the need arise.
Spokespeople and media training
Only the company spokesperson should speak in front of the media. If other staff are approached by the media, they should have a pre-prepared response ready, directing enquiries to the relevant person. Ensure that all communications are channelled through your PR and crisis comms team to the appropriate people, to control the situation.
Crisis or none, ensure that you work with your PR team on media training for spokespeople. Springboard Communications regularly works with clients to prepare for interviews, identifying the questions that may be asked and discussing the most appropriate answers to those questions. And remember never communicate anything to the media unless you know it is 100% true.
Mind your social media
In times of a crisis, make sure that the digital team quickly removes any scheduled posts and ensure that you have a plan of action ready for any anticipated queries that may come your way.
It is essential that you have a very clear social media policy in your workplace at all times. Staff should always be aware of what is appropriate to say online, on both company and personal accounts.