- Kateřina Kubíková
Cyber attacks are a growing threat to all companies. In today's world, it is more a question of when than if you will be attacked. Whether you fall victim to a ransomware or DDoS attack, it's important to know what to do in that moment. Ignorance and chaos will only exacerbate the effects of the attack itself. A cyber security incident can even trigger business continuity and disaster recovery plans, which should include effective crisis communications. But what should it look like? We will look at the basics of crisis communication in this article.
Establish procedures and methods for crisis communication in advance
When faced with a cyberattack, you intuitively try to salvage what you can, and your primary goal is to restore everything to its original state as soon as possible. However, in this tense situation, it's hard to remember who you need to inform first, what's important to communicate, and how. Preparing emergency communication procedures and methods in peacetime allows you to follow a prepared plan, increasing the speed of dealing with the situation, but also reducing stress and error.
Which channel to use to communicate?
Have you determined how you will communicate when emails or Teams don't work? Do you have relevant phone numbers, and a contact directory stored somewhere? It is crucial for a company to have a primary, as well as a backup, crisis communication channel established in the event of a cyber attack. There's nothing worse than fragmented communication across multiple channels. It is then important to update this channel as well and check its functionality if you switch to a different chat application or change your phone number over time, for example.
Who communicates with who?
For functional crisis communication, you also need to have a communication matrix in place. That is, identify the key people and list their contacts. It's also a good idea to include in the matrix who will be communicating to customers and how, if they are also affected by your service outage. This matrix will ensure quick and effective involvement of those responsible. However, remember to update it regularly and provide it to all relevant people.
For cases where standard measures are not effective and the emergency requires it, add escalation procedures to the communication matrix (e.g. involvement of other departments, management, external persons, state authorities, etc.).
Sequence of information
How to communicate during a cyber attack is discussed in the following lines. Here we will just mention that it is important to have communication in line with the priorities set out in the business continuity and recovery plans mentioned above. Emergency communication is a means and an integral part of recovery. It does not stand alone, and it is also important not to forget this.
What does effective crisis communication look like?
Emergency communication during a cyber-attack should follow a few basic rules. These are also good to have prepared and experienced before you really need them.
- Speed
Respond as quickly as possible. Mainly to avoid spreading speculation and confusion. For external communications, it is a good idea to have template messages prepared in advance for the person (usually a spokesperson for larger companies) who will communicate with the media and customers if the situation calls for it.
- Transparency
Speed is also related to content. When you don't yet know exactly what happened and what the consequences will be, it's good to take a less-is-more approach and share a minimum of information:
- You know something is happening.
- You address the situation.
- And most importantly, you will continue to report on the progress and resolution.
That way, employees affected by the attack will know that you are addressing the situation and trying to get it under control. The company should be transparent and communicate openly about the incident, its impact and the steps being taken to remedy the situation. Be sure to appropriately inform all parties involved or affected (including authorities, customers and your partners).
It is also advisable to stress in your crisis communication that you are aware of the seriousness of the situation and are sorry for the complications that have arisen (this depends on the specific cyber attack and its course). The aim is to express that you do not take the situation lightly. In the case of external communications, you may want to suggest to customers a temporary solution to their problems or other assistance you can provide. For example, a hospital affected by a ransomware attack may express support for patients and families and provide information about alternative medical facilities. With appropriate transparent communication, you build trust and reduce or limit reputational damage.
- Clear and short messages
More than ever, use simple and clear language when communicating a crisis. Avoid technical terms and even acronyms that may not be familiar even across the company. The goal is to make it easy and quick for everyone to understand the situation and know what to do. This will also avoid any misunderstandings and ensure that information is conveyed effectively.
- Regular updates
Crisis communication continues throughout the resolution of a cybersecurity incident, and for some time after it has been resolved. Therefore, provide regular updates and keep everyone involved informed of the progress of the resolution and next steps. In addition to maintaining trust, this will ensure that everyone has up-to-date and authorized information. Once the cyber-attack has been dealt with, it is advisable to share, especially within the company, an evaluation of the entire incident and key lessons learned for the future, so that the crisis communication and incident handling procedures set up can be improved (lessons learned).
Crisis communication training
All employees should receive regular cyber security training. However, training and awareness of crisis communication in the event of a cyber-attack should not be forgotten. Therefore, you can simulate a cyber attack and practice to make sure everyone responds according to the prepared a plan and knows what to do. This preparedness will be appreciated when a real cyber-attack occurs and you stand a chance that everything will be resolved faster, with less financial loss but also less reputational damage. It will also ensure that everyone's contact information is up to date and the communication matrix is functional.
Effective crisis communication is essential to maintain control of the situation and minimize damage, whether in a cyber-attack, but it can also be used in other crisis situations. However, in the event of a cyber attack, more than ever, there is a need to prepare for the possibility of failure of standard communication channels and the need to select back-up procedures that may not be ingrained in the company. The purpose of emergency communications is thus mainly to convey relevant information in a short time and to facilitate quick decision-making and incident resolution.
