Cybercrime is now more profitable than the entire trade in illegal drugs combined, according to Cybersecurity Ventures, writes Matthew Whalley, co-founder and MD, Ilex Content Strategies. The research firm expects it to be a $10.5 trillion industry by 2025. The scale of the opportunity means that the risks brands face from data breaches, ransomware, and the list of cyber threats is growing exponentially.
Continue reading or listen here:
This year, the UK Government Cyber Security Breaches Survey revealed that 50% of UK businesses had suffered a cyber-attack within the last 12 months, highlighting the increasing occurrence of cyber related crime. Cyber risks are not just a technical challenge, but can put reputation, revenue, and an organsation’s existence in jeopardy.
Every organisation needs to be prepared for the inevitable and have a crisis communications plan in place. Damage control depends on being prepared and walking through defined steps that limit the impact of any cybersecurity incident.
Bringing clarity to a crisis
One of the most disturbing aspects of cybercrimes is that an organisation can be hacked and not know it. A company’s data may be compromised but hackers may not take any action for months. They may take time to observe how the organisation functions and harvest information or they may make immediate ransom demands.
There’s no standard approach so crisis communications planning needs to be flexible, adaptable and ready to change as new information comes to light. During a cyber incident, clear and coordinated communication with stakeholders, including customers, employees, and the media, is critical for controlling the narrative and preventing misinformation.
The recent CrowdStrike outage that caused global issues for Windows computers showed how effective a good crisis plan can be in mitigating fall out. The company immediately responded by owning the issue, moving quickly to repair it and constantly kept customers updated about what they were doing. In this way it was able to drive the narrative, eliminate speculation and reassure customers that the issue would be robustly dealt with. Had such a plan not been in place, the company would have lost valuable time trying to formulate one, missing out on critical time needed to deal with the issue at hand and reassure customers and the wider market.
Controlling the narrative
In the aftermath of a cyber-attack or data breach, organisations need to control the narrative surrounding the crisis. To do this, brands must be prepared to undertake the following steps immediately:
Target your messaging
An effective crisis communications plan should include an analysis of stakeholders to have a clear understanding of who an organisation needs to communicate with and their unique interests and needs. For example, investors will typically be more concerned with the financial implications of a cyber related incident, whereas customers will focus more on consequences such as personal data being compromised. Make sure your communications address each of these stakeholders.
Nominating a key spokesperson
In the wake of a cyber-attack, an organisation’s press office and incident response team could be inundated with inquiries. A good crisis communications strategy requires a coordinated response to ensure consistency across all media platforms. Organisations should nominate a key spokesperson to deliver a consistent voice to internal and external stakeholders. It’s important that this person is media trained and can relay the company’s key messages, which will have been crafted long before a crisis ever arose.
Monitor social media
Social media is the fastest moving communication channel between organisations and the public. It can offer businesses valuable information and an insight into public sentiment. By regularly monitoring social media, crisis management teams can be alerted to out-of-control rumours and intervene. However, it is important to brief employees in delivering a consistent message as varying responses makes companies look unprepared, disorganised and potentially untrustworthy.
Review the lessons learned
In the event of an incident, organisations should hold a debriefing session with those who contributed to the incident’s resolution. This should reflect on what went well and what could have been done better, with the genuine intention of learning from the experience and determining what factors contributed to the incident in the first place. Instead of attempting to pinpoint a single root cause, they should take a systemic approach. The objective should be to prevent and improve in the future, as there will have been numerous factors at play, and understanding how they interact is critical for improving organisational resilience.
Done well, crisis communications help organisations navigate an unfortunate event, like cyber-attacks, minimising reputational damage and maintaining trust by demonstrating responsibility and resilience. Lack of preparedness can see years of reputation building squandered overnight. Most organisations now accept a cyber-attack will happen – how you prepare and respond can make the difference between surviving an attack or not. If you don’t have a plan in place should this happen to your brand, you are leaving yourself unnecessarily at risk.
© 2024 Strategic. Registered in Ireland: 659272