Briefing on Cybersecurity Crisis Communications: Five Key Takeaways

Ransomware remains one of the top cyber risks for all organisation

Ransomware remains the biggest concern, with phishing a key delivery mechanism. Attackers are also increasingly using third party systems to infiltrate an organisation, known as a ‘supply chain attack’. Organisations should remember that a ransomware attack is not simply an IT problem, it is extortion. How an organisation manages the communication around such an attack is critical for reputation management.

Preparation is key; minimising stress and uncertainty during an incident

Preparedness is key in the successful handling of cybersecurity incidents; and communications is integral to this. Organisations should ensure communications professionals play a central role in the development of crisis management plans in conjunction with technology and operational teams alongside company leadership. Scenario planning is key to ensuring timely messaging, and communications managers should have a playbook with pre-prepared statements ready to issue in such an event.

Communications teams should engage the expertise of their legal teams and communications advisors when preparing these statements. While any statement would naturally be tweaked at the time of an incident, it is far from ideal to have to start writing statements in the immediate aftermath of a response. Preparation minimises stress at a time of maximum uncertainty. At the time of finalising statements before issue, companies should avoid including any uncertain information that may need to be corrected at a future point, or that the ‘attacker’ could leverage.

Prepare to be locked out of primary communications systems

In the immediate aftermath of a cybersecurity incident, organisations may have limited access to their IT systems – or can be completely locked out. This could extend to being locked out from e-mail, contacts and any documents saved on the corporate network. Even where access to corporate email systems is available, they should not be used to share information as they may be compromised by the attackers. Organisations should ensure their playbook and any pre-prepared documents for such an event are accessible outside of these systems. Other practical considerations include saving your key contacts and social media passwords outside of the system – in a secure way – and having a plan for how you will contact all stakeholders, both internal and external, when primary communications systems are offline.

Employees are often a forgotten stakeholder group

While an organisation will have several stakeholder groups to engage with following a cybersecurity incident, internal communication with employees, who will likely be directly impacted by the incident, is critical and should be a priority for all organisations. It is important that employees do not learn of an incident or any developments through the media. This can be difficult when IT systems are down so this is a critical aspect of preparedness. Employees are also likely to form part of the frontline response to other stakeholders and ensuring they understand what’s happening; how to respond to key questions and the expected timeline to system restoration (to the extent known), is central to maintaining wider stakeholder trust in the company and in its response to the attack.

Ongoing day-to-day communications and training can also play a role in fostering good cybersecurity practices in organisations, known as ‘cyber hygiene’, to reduce the risk of an incident. Good cyber hygiene practices in an organisation can help reduce the risk of an employee clicking a phishing link.

Communication is fundamental

Above all else, clear, candid and certain communication is fundamental to effective cybersecurity incident response. Clear messaging which communicates that an organisation is in control of the response is critical. Companies are unlikely to be criticised for being attacked; but will be for sloppy or ineffective response. Messaging needs to be consistent across all communications channels – key to combatting misinformation and speculation.

An open and transparent communications response not only protects the trust you have built with stakeholders but also enables others to gain insights for their own preparations for future attacks. Communications also provides an important audit trail, and can be used to demonstrate to regulators and litigators what actions were taken to ensure those impacted were kept informed throughout the incident and in the aftermath.

Organisations and communications managers should consider their preparedness for a cybersecurity incident and have their playbook ready to action. The National Cyber Security Centre has published guidance for organisations on their website, https://www.ncsc.gov.ie/.

FTI Consulting’s Strategic Communications team brings together experienced crisis and communications professionals with experts who understand cyber incidents. We can also help build crisis management plans, develop communications playbooks, and run exercises to help prepare for a cybersecurity incident.