Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.
Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success and revenue. However, effective crisis communication helps increase customer trust in your business’s ability to recover and manage the issue. By preparing for crisis communication before an incident and then following a solid plan, you can steer your organization through the storm.
How to plan your cybersecurity crisis communication
Successful crisis communication begins well before any cybersecurity incident begins. Some companies include cybersecurity crisis communication as part of their overall disaster recovery plan, while other businesses have a standalone plan.
Melanie Ensign is the founder and CEO of Discernible, a multi-disciplinary Communications Center of Excellence for security, privacy and risk teams. Ensign says that many companies sleep on security until something goes wrong and then they are trying to earn the benefit of the doubt in an unfavorable environment.
“When I work with clients, I ask them if something were to happen tomorrow, what would you want to be able to say? What do you wish was true, that you would be able to say in response to this incident?” says Ensign. “They tell me how they want to show up as a company, what values and characteristics they want to express. We then work to make all of those things true because if it’s not true, we can’t say it.”
Here are three keys to building the foundation needed to successfully manage a crisis.
1. Create a crisis communication committee
Have a team of employees responsible for collaborating across the organization and managing all communications when an attack occurs. This ensures that communication does not fall through the cracks and reduces the spread of misinformation. Create a team that includes members across the organization involved in cyber response, such as legal, cybersecurity, general management and PR.
2. Create a crisis communication plan
After the committee is assembled, one of the first priorities is to detail all tasks and determine who the responsible party will be for all communication after a cybersecurity incident. Ensign says it’s important to get all key executive decision-makers to agree in advance, or they are likely to make up their own plan once they feel uncomfortable during the incident. She also says a plan is essential to provide a playbook if a key decision maker is unavailable during an attack, then another leader can easily fill in.
Because cyberattacks can involve many different schemes, from ransomware to data breaches, the plan should identify as many scenarios as possible and then detail an appropriate draft for each of them. The plan should also include communication points with other departments as well as the channels used, including email, website and social media.
“You need to be able to demonstrate to regulators that you had a plan and that you followed it. Sometimes, you may need to deviate from the plan. We learn things through incidents where we need to tweak our plan because this wasn’t exactly what we needed it to be and a plan helps justify all of those deviations,” says Ensign.
3. Conduct breach simulations for the entire team
While many organizations rehearse cyber response with the technical team, you should also include crisis communication as part of the simulation. Because a real attack is very stressful for everyone in the organization as well as outside stakeholders, practicing the response reduces tension, anxiety and potential errors.
Explore incident response services
What to do during a cybersecurity crisis
Once a cybersecurity attack is identified, it’s time to put your crisis communication plan into action. Because real situations often vary from plans and emotions are high, it’s vital to keep the following in mind throughout each step.
1. Communicate quickly and with as much transparency as possible
The quicker you communicate, the fewer rumors and less speculation will appear. As soon as you have basic information about the attack and the impact, share an initial statement that clearly explains what happened and any changes to business processes. If the attack was due to a mistake by an employee or the company, take responsibility. Explain how the company will communicate updates, such as through social media or a dedicated webpage, as well as a timeline for future updates. The first communication should also include any steps that people potentially affected should take, such as changing passwords or monitoring their accounts.
2. Set up a process for consumers to get additional information
Let affected customers know how to get additional information for their specific situation, such as a phone hotline or dedicated email. Make sure these channels are continuously monitored and that questions are responded to quickly. After the recent Change Healthcare breach, the company set up a dedicated website for information that also included a phone hotline.
3. Update communication regularly
Because a cyberattack is an evolving situation, you can rebuild trust by keeping in regular contact with all affected parties. By providing updates, you let customers know that you are taking the situation seriously and are taking action. Change Healthcare created a detailed webpage that provided the status of all business functions as well as the expected restoration date of each, which was updated daily during the height of the recovery.
“Your customers and people impacted by the incident are going to care about it far longer than the media,” says Ensign. “Just because it’s not in the media anymore doesn’t mean that it’s not important to continue communication.
4. Share how the organization will reduce risk in the future
After the SolarWinds attack, the company brought in Alex Stamos, former Facebook and Yahoo security chief and current professor at Stanford University, and Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), as independent consultants for SolarWinds’ recovery, which improved confidence in the organization’s future cybersecurity. SolarWinds also made significant changes in its security layers to reduce future risk, which they communicated to the public.
Have a communication plan in place
A cyberattack contains many unknowns and is a complex situation. By having a solid plan ready and a team to manage the communications, you can easily make changes based on the specific situation. With effective crisis communication, your company can get to the other side of a cyberattack with even more trust from your customers based on your response and communication.
“It’s important to have all communication plans, programs, assets, material, relationships in place before something happens,” says Ensign. “When that day comes, because we all know that day is coming, you have all of those things at your disposal and you can actually show up the way that you want to.”
Now that we have discussed what TO do regarding communication in a crisis, check out our next story in this series, Crisis communication: What NOT to do.