It is vital that every business, no matter how big or small, has a clear crisis communications plan in place for when the unthinkable happens. Cyber attacks can happen to any business – regardless of size. This is more relevant now in 2021 than ever before, as most businesses continue to operate remotely. Effective Crisis Comms is vital in a Cybersecurity Incident to mitigate against risks.
According to the National Cyber Security Centre, a cyber security incident is considered to be any adverse event that threatens the confidentiality, integrity, authenticity or availability of a network or information system.
While organisations are aware of GDPR and have operational structures in place to deal with a data breach, what is often forgotten are clear communication processes, and how to effectively communicate incidents to stakeholders.
From data breaches and malware attacks to email phishing and ransomware, while cybersecurity incidents may vary, the same fundamental crisis communications principles still apply. Here are our top tips to ensure your comms outreach manages and minimises any fall-out, without adding more fuel to the fire.
‘Failing to prepare is to prepare to fail.’
You should always plan for the worst case scenario. An issue can occur at any time, from data breaches, employee issues and product/service failure to security problems and cyber-scares. Creating a cyber and data incident response plan can help minimise your reputational risk.
Prevention is the best cure. A clear plan is the first step in preparing for a crisis. Having a plan in place means you have a guideline for you and your team to follow, to manage the issue and minimise the risk. Your plan should include names and numbers of your crisis team, media statement templates and a list of relevant audiences to be communicated with.
Mind your stakeholders
In times of crisis, communicating with the media is critical but there are other audiences you need to consider.
- Trade unions
In cases of a personal data breach, according to the Data Protection Commission (DPC), controllers are obliged to communicate to the data subject a personal data breach, ‘without undue delay’, where that personal data breach is ‘likely to result in a high risk to the rights and freedoms of the natural person’.
However, often it is not just “high risk” cases that need to be communicated to stakeholders. Depending on the situation, regardless of the risk level, it can be best practice to let your stakeholders know what has occurred and that you are dealing with it promptly.
Ensure your crisis plan has relevant names and contact details for your stakeholders. This will ensure you can communicate with them in a timely matter, should the need arise.
Spokespeople and media training
Only the company spokesperson should speak in front of the media. If other staff are approached by the media, they should have a pre-prepared response ready, directing enquiries to the relevant person. Ensure that all communications are channelled through your PR and crisis comms team to the appropriate people, to control the situation.
Crisis or none, ensure that you work with your PR team on media training for spokespeople. Springboard Communications regularly works with clients to prepare for interviews, identifying the questions that may be asked and discussing the most appropriate answers to those questions. And remember never communicate anything to the media unless you know it is 100% true.
Mind your social media
In times of a crisis, make sure that the digital team quickly removes any scheduled posts and ensure that you have a plan of action ready for any anticipated queries that may come your way.
It is essential that you have a very clear social media policy in your workplace at all times. Staff should always be aware of what is appropriate to say online, on both company and personal accounts.