Cyber crisis management: PR dos and don’ts after a data breach
It’s widely accepted that the risk of falling victim to a cyber attack has become just another part of doing business. But, especially in sectors where good customer service can give firms a competitive edge, the key to preventing a breach from causing excessive reputational harm is to communicate effectively with your stakeholders about the problem.
In January, Royal Mail was hit by a ransomware attack that prevented it from sending parcels out of the UK. The nation’s biggest postal service came under intense media scrutiny, yet it took a week for its CEO, Simon Thompson, to confirm publicly that the ongoing disruption had resulted from a directed cyber assault.
Another January incident, affecting the US Federal Aviation Administration (FAA), was so serious that flights had to be grounded. In scattered communications, the government agency insisted that it had yet to find any evidence indicating that a cyber attack had caused the outage in its air traffic control system. Several weeks on, little further information has entered the public domain.
Customers expect prompt, clear and honest communication when the services they’re depending on are disrupted, which is not always easy for an organisation to provide while it’s still trying to clear up the mess. What did Royal Mail and the FAA do right and wrong – and what lessons in emergency comms can these cases teach us?
The impact on the public
Experts agree that the responses of both organisations could and should have been clearer. While they did make statements, their initial outreach was “vague, which led to speculation and left the public frustrated”.
That’s the view of Jan Quach, global director of customer success engineering at cybersecurity specialist Logpoint. He believes that, when a provider’s services are seriously disrupted, it should publicly acknowledge the problem immediately.
“It isn’t necessary to state the cause at this stage, but you do need to say that matters are under investigation,” says Quach, who adds that it’s also important to tell customers when they can expect an update. “Neither Royal Mail nor the FAA did that, which fuelled the rise of online theories and negative stories.”
Yet there can be understandable reasons for a slow PR response, especially if an attack involves ransomware. The inner workings of most large organisations tend to have “many moving parts, outsourced services and bespoke systems, which all add to the drag factor”, notes Chris Boyd, lead malware intelligence analyst at Malwarebytes.
Royal Mail’s reaction time was “roughly on par” with those of other big enterprises that have faced similar situations, he says. “If an organisation grinds to a halt or announces a cyber attack without immediately going into details, there’s a good chance that a few days of silent damage analysis and containment will precede a mention of ransomware.”
Lauren Wills-Dixon is a solicitor and expert in data protection at law firm Gordons. She agrees with Boyd that, when a cyber incident occurs, it can take time for the victim to understand the full extent of the problem with any level of confidence.
This factor can make stakeholder comms difficult and it’s usually why the initial message is vague, Wills-Dixon says. “Only after technical teams have worked to understand what has happened with certainty will more details filter through.”
How victims can improve their responses
Unclear post-incident comms can usually be attributed to the lack of a highly developed, well-rehearsed crisis response, argues Stephen Bailey, who leads the global privacy practice at cybersecurity consultancy NCC Group.
In Royal Mail’s case, its CEO’s lengthy radio silence “resulted in the narrative centring on the missteps of the organisation’s response, rather than the attack itself”, he notes, adding that better preparation would have helped both Royal Mail and the FAA.
“This means having an actionable crisis plan in place and an agreed decision-making hierarchy.” Bailey says. “If you believe you’ll need external support – such as a hotline for affected parties or a dedicated response and recovery team – ensure that they’re on a retainer and can be activated immediately.”
Preparation is especially important when speaking to the media. “If you’re putting a spokesperson forward, whether that’s the CEO or someone in a comms role, ensure that they’re fully briefed. Otherwise, there’s a risk that they’ll look as though they’re evading questions,” he says, pointing to Thompson’s uncomfortable experience at a hearing of the Commons select committee on business, energy and industrial strategy last month.
Bailey would advise any firm to decide now on the communication style it would use in the event of a serious cyber breach. Its leaders need to ask themselves questions such as: “Are we going to be as transparent as possible or share only what’s absolutely necessary without obfuscation?”
He also recommends training a small team to be the first point of contact for external stakeholders seeking information about the incident.
“Be consistent with your communications,” Bailey urges. “Include what happened, how it’s being addressed and what measures will be taken to prevent future incidents.”
Wills-Dixon cites the recent attack on JD Sports as an example of strong post-incident communications. “These were honest, apologetic, solution-focused and not overly technical,” she says.
The legal considerations
There are also statutory requirements such as the EU update to General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 to take into account in the event of a breach. Factors influencing post-incident comms include whether personal data is involved, whether hackers have exploited the data and whether people’s rights are at risk, Wills-Dixon explains.
“If there is a significant risk, the organisation must work hard to reassure its customers and mitigate the reputational damage,” she stresses.
In the UK, any security breach involving personal data must be disclosed to the Information Commissioner’s Office. “The obligation is to report within 72 hours, even if there are still unknowns surrounding the incident,” Wills-Dixon says
Overall, the most effective response will involve a holistic and “big-picture” approach to stopping the attack and mitigating its impact. This includes containing the breach, restoring data, dealing with communications, seeking expert guidance, undertaking legal reporting and avoiding a silo mentality.
To avoid lasting damage to your brand’s standing when a cyber attack hits home, speed of communication is key, according to Wills-Dixon. Such incidents are likely to “result in a temporary reputational hit”, she says, “but it is better for organisations in the longer term to be open, sharing details and controlling the narrative as soon as they can, rather than burying their heads in the sand.”