Cyberattacks are becoming more frequent. That means it’s more important than ever to know how to ensure effective communications during a cyberattack. You need to have a plan in place.
I recently moderated a panel of cyberattack response experts at a business and industry conference. A few weeks later I attended a similar event sponsored by a state business news journal. The speakers and panelists at both events were knowledgeable and articulate. In addition, the audiences – professionals and C-Suite executives – were informed, engaged and appreciative of what the experts had to say. In short, both events were terrific.
However, during all our conversations about law, insurance and technology, something was missing. I didn’t hear any discussion about what an organization must do to protect its reputation and preserve the strength of its brand when (not if) it is the victim of a cyberattack or data breach.
Don’t Neglect Communication
I am a strategic communications consultant who advises clients facing:
- fallout during and after a cyber-attack
- litigation
- criminal investigations
- allegations of financial wrongdoing
- allegations of improper employment practices
- public and media scrutiny over all kinds of reputational threat
As a result of my experience with these clients, I’ve seen that the answer lies in how the organization under siege communicates about the crisis.
Communication is important in any relationship. But effective communication is crucial if a data breach undermines the trust and confidence of Board members, employees, clients, customers and the public.
Perhaps even more than the breach itself, an organization’s communication and messaging about the crisis can mar or mend its reputation, sink or buoy its brand.
10 Ways to Ensure Effective Communications During a Cyberattack
1. Have a Communications Plan in Place Ahead of the Crisis
… and practice it.
Trying to cobble together an impromptu communications strategy during a cyber incursion or data breach will likely compound problems. While it’s impossible to know details in advance, have a boilerplate response ready to fine-tune. And don’t just write it down. Practice. Drills are as important to the communications aspects of your incident response plan as they are to every other aspect of your response.
2. Establish a Clear Communications Chain-of-Command
Institutionalized protocols make this easier. Everyone in the organization should know who leads communications efforts. Not only that, but everyone should know how to get an inquiry to them, whether it’s from a vendor, client, the public or the media. Public-facing employees should also know exactly what information to collect from callers.
3. Establish a “Spokesperson Only” Response Policy
It is essential to speak with one voice. An organization should designate a single spokesperson (and alternates, in case that person is unavailable) to be its public face during a breach. No one else in the organization should speak publicly about the situation on behalf of the company. When members of your organization share inconsistent information, it undermines the narrative you’re trying to establish, dilutes your message, and calls into question the authority and trustworthiness of the official spokesperson. The worst outcome is when the conflict itself becomes the focus of media reports, further eroding public confidence. If you know how to ensure effective communications during a cyberattack, this is one of the best ways.
4. Prepare Employees for Stealth Inquiries
Reporters don’t always identify themselves. Employee training should include warnings against speaking about the situation with anyone outside the organization even if the outsider appears informed.
5. Your Legal and PR Consultants Are Key Members of The Team
Legal will help protect a future litigation strategy should the breach result in a lawsuit. Communications experts craft strategies, draft statements and coordinate messaging to help protect your organization’s reputation and brand. As with any aspect of your incident response plan, seeking and vetting professionals after a breach becomes known leads to delays and makes mounting an effective response strategy all the more difficult. Outside professionals should be identified (and preferably put on retainer) in advance of a crisis and should be alerted at the first indication that a breach has likely occurred.
6. Establish Good Media Relations Before Bad News Brings Reporters to You
Get to know reporters (and editors) at local and regional media outlets that cover your organization and your profession. If those outlets also have a reporter on the data beat, introduce yourself and your company to them as well. Having a prior relationship enhances trust, aids credibility, and might help influence the story’s focus or how it’s told. So much of the impact a story has on the public depends on tone. A reporter who knows you is more likely to approach the story with a sympathetic ear.
7. Never, Ever Say “No Comment”
Saying “no comment” is not how to ensure effective communications during a cyberattack. It’s the opposite. You may as well say “Guilty as charged,” because that’s how the public hears “no comment.” There are many ways to respond when you have nothing to say. For example: “It’s a complicated situation. We don’t know a lot yet, but as we can share more, I will.” Then, when you can share more, do so, because you want the journalist to trust you and think of you as a credible source.
8. Show Concern for Victims
It’s hard to focus outside your own operations during a breach, but others are also impacted. Patients in a hospital under a ransomware attack may suffer real harm if doctors can’t access vital data. Bank customers, learning of a breach, fear for their savings. You can bolster trust, boost your reputation and protect your brand by quickly and sincerely expressing concern for other victims’ welfare and sharing your plans to keep them safe.
9. Keep Employees Informed
When a data breach occurs, confusion and fear spreads through an organization like wildfire. While only a few employees may be directly involved, don’t leave others guessing. You don’t want staffers to receive news, especially bad news, by reading it online. As you craft your public statements, be sure to communicate with staff and other internal stakeholders as quickly and as completely as possible. Also remember to share updates regularly, particularly as pertinent information becomes available.
10. Communicate Your Post-Recovery Plans
It’s popular wisdom that people have become numb to cyberattacks and data breaches. However, your clients will likely bolt to a competitor if their faith in you is shaken. To keep their trust and bolster your brand, communicate how you’ll protect them going forward. Acknowledging responsibility for improvement – and having a plan – goes a long way.
The better thought-through your communication strategy, the more likely your message will be received as authentic, informed, and sincere. The more practiced your team is in delivering the message, the more effectively it will protect your organization’s relationships … and its reputation.
Respond without a strategic communications plan and you risk alienating clients, demoralizing employees, and undermining your organization’s future.