A hijacked DNS service provider took out much of the internet on Friday, using our own devices against us and reminding us that business disruption is inevitable. As if in anticipation, last week the White House announced a new privacy office within the Office of Information and Regulatory Affairs to protect information about the American people. “If we don’t invest in privacy today, the issues will only be more challenging tomorrow,” warned Shaun Donovan, director of the Office of Management and Budget.
Download PDF of this issue: First Response to Cyberattack? Communicate.
Earlier this month, I spoke on a panel where a cyberattack was simulated, and IT specialists, cybersecurity analysts and even an FBI agent came up with responses. The cyber security investigator from Kroll pointed out that most cyber victims are hacked weeks, maybe months before detection. Going back in time to unravel the damage is painstaking work. It would be much better and less expensive, he said, to proactively secure systems and block attacks.
An advance plan for communicating with your stakeholders (employees, customers, vendors and investors) also is recommended. But the most important thing for company leaders to decide is their intent. We recommend that intent be transparency. Timely communications is just as important to businesses as stopping the criminals. Accurate information protects employees, retains customers and keeps business afloat. At the first hint of a cyberattack, companies who act quickly will see their brand enhanced and those who don’t will be damaged.
If you don’t have an action plan, here are your first steps when attacked:
- Assess the extent of the damage — Develop statements, work with attorneys to review for all stakeholders and sequence your outreach to the board, investors, customers, employees, vendors and media. Keep the lines of communication open. “We don’t know yet” is an answer. “No comment” is not.
- Tap into social media — Post that your full statement is coming. Look for questions and engage your crisis team to craft short, declarative responses.
- Establish when and how frequently you will reach out in days to come — Consider a webcast or if you’re in the too big to fail category, a press conference.
- Prep the CEO or other spokesperson — Take advantage of media interviews to tell your side of the story. All designated responders should be fully briefed and updated during the crisis period. Enlist experts and outside security specialists to make sure statements are accurate and precise.
Preparation is the Best Insurance
Cyberattacks are intended to create confusion and disruption. The goal of crisis communications is clarification, perspective and equilibrium. Even if your company is too small to have a full-time crisis communications team, designate a leader and the specific members of the group. Identify an outside crisis firm to develop a plan. You can pay for the plan and then just keep them on call. Identify the best in-house players and get them working together. The CEO, board members, IT, legal counsel, accountancy and marketing leaders should all work on the “murder board” where tough questions and worst-case scenarios can be addressed. Critical thought now makes for bullet-proof answers when the target is you.
Successful crisis communications in the midst of a cyberattack depends not only on managing the flow of information, but making sure the people on your side represent accuracy, forthrightness and company policy. Perception is reality, and the reality is you can create the perception across multiple platforms from Twitter, Facebook and e-newsletters to print and broadcast.
At the first hint of a cyberattack, companies who communicate effectively will see their brand enhanced and those who don’t will be damaged.
