Cyber crises may be driven by technology, but at their heart they are very human affairs.
Get the communications process wrong—a mistimed announcement, using the wrong tone or portraying a lack of transparency—and a company can go very quickly from being the victim of a cyberattack to being labelled the perpetrator that allowed the problem to happen.
How a company emerges, and how its reputation will be affected, is often decided by the emotional response of the people impacted, and there are several complexities to consider.
Sign up for our FREE weekly PRWeek Asia bulletin. Register here.
First, there is the difficulty of proving the source of an attack, or the ‘attribution problem’ that has dogged the internet almost since its inception. You may know how your system was accessed—it’s just that you may never find out exactly who did it or why they broke in.
Then there is the limited view of the data that has been compromised and exactly how many people have been affected. This increases the risk that a company may say too much too soon, or not say enough, sometimes leaving them in the embarrassing position of having to correct previous statements.
An added consideration is the increased scrutiny that regulators are putting on companies and their responses to cyber incidents, especially those where data is compromised. Fines can now be in the hundreds of millions of dollars under regulations such as the European Union’s General Data Protection Regulation, or GDPR, introduced in May 2018.
The view from experts is that companies should be ready for the greater involvement of watchdogs, no matter which jurisdiction they are operating in.
Lifecyle of a cyber crisis
In our experience, there are four key moments when communications teams must make decisions that can make or break their response handling: discovery, disclosure, live-handling, and de-escalation and recovery.
The discovery phase is that smack-in-the-guts moment when a company realises they have suffered a cyber incident or the real or potential loss of data. Companies can spend too long focusing on how an outside actor was able to access their systems, isolating the vulnerability and closing the security gaps. This is often to the detriment of the communications response. The biggest question a company needs to answer is not “why did this happen?” but “how do we now protect the interests of our stakeholders?”.
Once you are in the disclosure phase, the main thing staff, customers and clients will want to know is what they need to do to protect themselves. Are they still at risk? Is the company taking the right steps to ensure data is not being used for criminal purposes? Is the company monitoring the dark web? Will it protect them against identity theft or other problems?
Failure to address these questions will likely increase anxiety amongst the affected stakeholders. Instead, they need to see that the company is battling on their behalf and will continue to do the right thing by them, even if the spotlight of the crisis moves away.
In addition, the fluidity of social media and the speed that news can spread means the story can easily be controlled by external voices.
To counter this during the live handling phase, companies need to try to get ahead of the story, show transparency and reassess their responses. They will need to regularly engage with stakeholders, even though the uncertainties inherent in cyber issues means that communications teams will have to adapt faster and with more flexibility than in other crises.
Whether they like it or not, companies will often have to take bold steps in terms of sharing information. The prevailing view is that it is better to disclose early, rather than for the company to have to explain later why they delayed communicating a problem.
This type of decision-making requires clarity of leadership, which is hard to achieve if a company is simply reacting to events as they unfold. Most companies are aware of the issues they may face, and more are looking into developing communications protocols through cyber crisis workshops to speed up decision making processes and prepare them to these events.
More than anything, company leaders need to reassure stakeholders that they can continue to trust the brand and its values.
The best way to ensure that this continues is to build out consistent engagements with affected audiences during the de-escalation and recovery phase. This means making sure the company is the primary source of information (no surprises), clearly outlining the fixes it has put in place and focusing on the principle that the company will always protect stakeholders’ interests.
Forget this final point and even the best thought out cyber crisis responses will sound hollow.
Ben Richardson is partner and head of Asia at Finsbury