Post Equifax – 7 Comms Tips for Managing a Cyber Crisis

  • Almost half of all UK businesses have been victims of a cyber-attack or breach within the last 12 months

  • The boards of 68% of the UK’s largest companies have received no training to handle crisis communications in the wake of a cyber breach[2]

 

 

Most of today’s communicators believe they have the solutions for crisis communications sufficiently covered.

Businesses are still discovering that, when it comes to cyber-attacks, the impact of significant errors can be substantial (see Tesco Bank, Talk Talk, Wonga, Sports Direct, Yahoo et. al.). This is just decades after Johnson & Johnson showed the value of being candid with the public, during its Tylenol tampering crisis. Mistakes made during the 2007 crisis on the Virginia Tech campus and the 2015 Paris attacks, meant that, when it comes to the importance of prompt alerts during a crisis, U.S universities and the French Government learned in the most devastating way.

These data breaches—and their repetition—are not isolated incidents. For example, in a 2015 IBM study, the healthcare industry experienced the highest level of cyber security breaches. The findings discovered that over 100 million healthcare records had been compromised during the year, from over 100 countries.[3] In a recent test, cybersecurity firm FireEye examined 1,217 organisations around the world and found that 97 percent of them had sustained data breaches, despite their deployment of standard intrusion prevention systems.

Implementing this within crisis communications has been no less difficult, as practitioners became faced with a series of hard-learned lessons. . For the most part,  communicators today have felt well equipped with best practices for crisis communications, focusing on people before property, controlling the spread of the crisis, monitoring and correcting inaccurate reports or rumours,  as well as being as candid as possible.

The issue became apparent when an influx of data breaches struck a large number of the world’s most trusted brands, which these best practices were not equipped to handle. In quick succession, this challenged the efficacy of traditional crisis communications as organisations struggled to protect their brands from the impact of digital intrusions. Two of the most notable presidential elections in recent memory, the 2016 US Presidential Election and the 2017 French Presidential Election, also suffered enormous data breaches with thousands of confidential emails dumped into the public domain. Protection from cyber-attacks is becoming more complex.

The risk of cyber-attacks requires a complete re-think of crisis comms planning.

Many of the standard methods of preparing for, averting and managing crises proved to be totally ineffective in these instances.

  • Efforts to make data networks impenetrable to intruders turned out to be useless, as hackers found new routes to enter computer systems.
  • The carefully selected and prepared crisis teams, organised by corporate leaders to recover from physical disasters seemed largely irrelevant: hackers had done their damage, withdrawn customers’ personal financial information, and disappeared. That bell could not be un-rung.
  • Searching for root causes to repair was pretty much a futile exercise. As Georgetown University law professor Adam Levitin stated in The Atlantic, “JP Morgan spends crazy amounts of money on IT security and yet they can still be hacked. There’s really no way you can be connected to the Internet and keep things safe.”

In short, a cyber-attack is an entirely different kind of crisis, compared to  those communicators have previously prepared for.. In fact, the threat of cybercrime requires a complete rethink of crisis management and aversion.  Just as crises have evolved and increased in complexity, so must our attitude to crisis communications planning.

There are seven key ways in which managing conventional crises, differ from managing data breaches and cybercrime:

1.   VISIBILITY

Conventional crisis: Every type of conventional crisis is highly visible as it occurs. Organisations have no doubt that they dealing with a fire, flood, workplace violence situation, break-in, indictment or other unexpected situation.

Cyber crisis: The organisation that suffers a data breach, may not be aware of its occurrence for weeks or months after the initial attack. Hackers ran malicious software that swiped customer credit card information in Home Depot’s systems, for five months before it was discovered. FireEye’s Mandiant unit reports that the median time attackers were present on a victim network, before eventually being discovered, was 229 days in 2013.

2.   THREAT

Conventional crisis: Typical crises most often present a physical threat to people and/or property or, as in the case of a legal or regulatory crisis, a psychological and emotional threat to the organisation and its executives. Even in a legal crisis, the company may be viewed externally as the victim (of theft, embezzlement, fraudulent leadership).

Cyber crisis: A data breach rarely poses a physical threat to the victimised company, but it can lead to severe financial consequences for customers, suppliers and the company itself, as well as disastrous reputational harm to the company’s brand. The global average cost of a data breach is just over $3.6 millon.[5] The recent data breach suffered by Yahoo, in which over 1 billion records were compromised, resulted in $350 million being wiped off its value.[6] While the business is indeed a victim of cybercrime, it is frequently  perceived as a perpetrator of harm to its customers and suppliers for failing to sufficiently prevent cyber intrusion. Although the company may have taken reasonable steps to ward off network intrusions, hackers and professional criminals have clearly demonstrated that they can surmount these defences. A result may be that the company harbours a false sense of security about its networks, because of its investment in protection systems, making the organisation’s responsibility even greater when an intrusion ultimately does occur.

3.   SCOPE

Conventional crisis: A conventional crisis usually affects a geographically finite group of people—a company and its employees, a city, a state, a specific nation—who are at or close to the location of the crisis.

Cyber crisis: Data theft  or misuse may directly and immediately damage the finances and reputations of millions of customers, who are geographically far removed from the site of the breach. Additionally, an increasing number of cyber criminals are conducting blackmail attacks known as ‘ransomware’, in which they enter a corporate network and encrypt all of its files, making them inaccessible to the company. The criminals then seek to extort millions of bitcoins from the company in exchange for restoring access. The most notorious of these was the recent WannaCry attack, which impacted 74 different countries.[7] A number of different organisations have been effected, from NHS to FedEx and advertising giant WPP.

4.   RESPONSE

Conventional crisis: The communications team can take action immediately to respond to a conventional crisis, even as it continues to unfold. Status reports can be delivered in news conferences, websites can be updated, email and text messages can be dispatched to help keep people safe, as the crisis moves toward resolution and to project the organisation’s image of openness.

Cyber crisis: Immediate external crisis management communications, issued in response to the cyber intrusion, is not always the best practice. In fact, the action causing the crisis has likely been completed and what needs to be communicated is its potential impact on others. Resolution may be months away, but action in accordance with compliance laws may be required immediately. The recent popularity of ransomware means that criminals almost immediately announce that a company has been compromised. The attackers are owning the initial media narrative.

5.   CRISIS TEAM

Conventional crisis: Many crisis plans focus on the facility and who should do what to prevent a physical crisis from spreading, whether it be fire, flood, terrorist, power outage or other source of harm. In these plans, everyone plays a role in getting the company up and running again, managing their functions and areas in the plant, office or institution.

Cyber crisis: While everyone is responsible for using safe procedures online, cyber threats can be directly handled only by a small group of people from IT, the C-suite and perhaps outside technical experts. Most managers and employees will have little, if anything, to do with restoring the organisation’s capabilities. Therefore, they may feel frustrated at being unable to assist in speeding recovery and a return to normal operations.

6.   MESSAGING

Conventional crisis: Communicators prepare messaging for a very small group of people, perhaps the media spokesperson, a backup person, and top officers who will be communicating with regulators and customers. All others are advised to refer anyone who asks about the crisis to one of these spokespersons.

Cyber crisis: The entire organisation needs to be prepped with messaging. If a retailer suffers a data breach, checkout clerks must be equipped with messaging when people ask about the security of using their debit cards. Offhand, unprepared remarks from employees can lead the company to  even deeper trouble. Yet saying nothing to inquiring customers can spark suspicions of guilt and the organisation not acting in their clients’ interests. Mass messaging must supplement executive messaging.

7.   ASSESSMENT

Conventional crisis: In every conventional crisis, a primary concern of company executives and investigators is to locate the root cause of the crisis and take action to forestall  repetition. This kind of assessment normally produces recommendations for changes in policies, procedures, ways to strengthen security systems and/or physical changes to the facility.

Cyber crisis: When a cyber-attack occurs, the cause of the crisis may be easily discovered, but implementing steps to prevent its recurrence—such as arresting the cyber criminals or blocking their activities—may not be possible. Breaches frequently originate half a world away, where UK law enforcement has no jurisdiction and where the individuals responsible may be nearly impossible to identify. Organised gangs of cyber criminals operate from countries, where British officials often have little or no political influence and where these criminals are not pursued by local governments.

 

Poorly executed communications strategies, and their resulting impacts, are now just another financial risk attached to the increasing level of cyber-crime.

Responding to the changes will involve carefully reviewing and amending existing crisis communications processes and procedures, to bring them in line with this new and impending threat.

 

 

[1] https://www.gov.uk/government/news/almost-half-of-uk-firms-hit-by-cyber-breach-or-attack-in-the-past-year

[2] http://www.techuk.org/insights/news/item/11276-two-thirds-of-businesses-not-prepared-to-deal-with-a-cyber-breach

[3] http://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/

[4] Source: Detica report in partnership with the office of cyber security and information assurance in the cabinet office

[5] https://www.ibm.com/security/data-breach/

[6] https://techcrunch.com/2017/02/21/verizon-knocks-350m-off-yahoo-sale-after-data-breaches-now-valued-at-4-48b/

[7] https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

[8] TIA’s 2010-2017 ICT Market Review and Forecast, available at: http://test.tiaonline.org/resources/market-forecast