Effective crisis communications is vital in a cybersecurity incident
It is more crucial than ever for businesses to have a well-defined crisis communications plan in place to navigate the unexpected, including cyber-attacks.
Richard Brown, Director of the National Cyber Security Centre, warned that Ireland will be at a “far greater” risk of significant cyber attacks in the next two years. The risks have multiplied and there is a “significantly heightened geopolitical risk” at the moment.
Hackers are increasingly targeting IT and physical supply chains, launching widespread cyber assaults, and devising innovative methods to extort money from companies, regardless of their size. Currently, the majority of ransomware attacks involve the theft of personal or sensitive business data with the intention of extortion. This not only raises the cost and complexity of such incidents, it heightens the potential for damage to a company’s reputation. According to Allianz Commercial’s analysis of significant cyber losses, there has been a continuous increase in the instances where data is exfiltrated, with the proportion doubling from 40% in 2019 to nearly 80% in 2022, with 2023 activity tracking even higher.
Cybersecurity incidents can target any business, and with the continued prevalence of hybrid working, the need for effective crisis communication in the event of a cybersecurity incident has become increasingly pertinent.
According to the National Cyber Security Centre, a cyber security incident is considered to be any adverse event that threatens the confidentiality, integrity, authenticity or availability of a network or information system.
While organisations are well-versed in GDPR and have operational structures for handling data breaches, what is frequently overlooked are clear communication processes and how to effectively communicate incidents to stakeholders. This is where a crisis communication plan comes into place.
From data breaches and malware attacks to email phishing and ransomware, while the nature of cybersecurity incidents may vary, the same fundamental crisis communication principles apply. Here are some updated tips to ensure your communication strategy manages and minimises the fallout without exacerbating the situation.
‘Failing to prepare is to prepare to fail.’
You should always plan for the worst case scenario. An issue can occur at any time, from data breaches, employee issues and product/service failure to security problems and cyber-scares. Creating a ‘cyber and data incident response’ or crisis communications plan can help minimise your reputational risk.
Top Tip:
Prevention is the best cure. A clear plan is the first step in preparing for a crisis. Having a crisis communications plan in place means you have a guideline for you and your team to follow, to manage the issue and minimise the risk. Your plan should include names and numbers of your crisis team, media statement templates and a list of relevant audiences to be communicated with.
Mind your stakeholders
In times of crisis, communicating with the media is critical but there are other audiences you need to consider.
These include:
- Staff
- Investors
- Suppliers
- Consumers
- Trade unions
In cases of a personal data breach, according to the Data Protection Commission (DPC), controllers are obliged to communicate to the data subject a personal data breach, ‘without undue delay’, where that personal data breach is ‘likely to result in a high risk to the rights and freedoms of the natural person’.
However, often it is not just “high risk” cases that need to be communicated to stakeholders. Depending on the situation, regardless of the risk level, it can be best practice to let your stakeholders know what has occurred and that you are dealing with it promptly.
Top Tip:
Ensure your crisis communications plan has relevant names and contact details for your stakeholders. This will ensure you can communicate with them in a timely matter, should the need arise.
Spokespeople and media training
Only the company spokesperson should speak in front of the media. If other staff are approached by the media, they should have a pre-prepared response ready, directing enquiries to the relevant person. Ensure that all communications are channelled through your PR and crisis communications team to the appropriate people, to control the situation.
Top Tip:
Crisis or none, ensure that you work with your PR team on media training for spokespeople. Springboard Communications regularly works with clients to prepare for interviews, identifying the questions that may be asked and discussing the most appropriate answers to those questions. And remember never communicate anything to the media unless you know it is 100% true.
Mind your social media
In times of a crisis, make sure that the digital team quickly removes any scheduled posts and ensure that you have a plan of action ready for any anticipated queries that may come your way.
Top Tip:
It is essential that you have a very clear social media policy in your workplace at all times. Staff should always be aware of what is appropriate to say online, on both company and personal accounts.
To find out more about how to put a crisis comms plan in place for your business, contact us today or explore our range services.
For more stories like this sign up for our Insights newsletter ›
BACK TO TOP