Cyber hacking is a big talking point right now for our clients – from global software companies keen to learn how to give an expert opinion to the media in “non-geek speak”, to firms who want to understand how they should react publicly when their data is attacked.
And here’s why: just under half (46%) of all businesses in the DCMS Cyber Security Breaches Survey 2017 identified at least one breach or attack in the last year.
Yet only one in ten businesses has a cyber security incident management plan in place.
That’s the bad news; here’s the good bit: “Virtually all businesses (98%) who have a contingency plan in place for breaches say that the plan was effective for dealing with their most disruptive breach.”
And handling the media should be a key part of that plan.
As a form of crisis, a cyber attack presents a unique set of communications problems:
- Scale. As we saw with the WannaCry ransomware attack in May, a cyber attack knows no borders and can hit organisations of any size, anywhere and as varied as hospitals, parcel delivery firms and rail operators.
- Speed. WannaCry was detected on a Friday morning and by Monday it had hit 200,000 hospitals, companies, government agencies and other organisations in 150 countries.
- Stealth. Unless you’ve got a huge amount of expertise and/or tremendous tracking capability, you won’t see it coming.
- Complexity. Most victims won’t have any idea how the attack has happened, they’ll simply feel its impact. Plus, depending on its nature, fixing it may well be beyond their ability, so specialist help will be needed. Little wonder then that smaller companies are increasingly being hit by cyber attackers – they’re less likely to have the IT support and “Plan B” to deal with such a crisis.
This can all create a situation where, as a business, you now find yourself at the heart of a crisis that feels even worse, because you have very few answers to the classic crisis questions journalists WILL ask:
- What’s happened?
- How could it have happened?
- What are you doing about it?
And, of course, there’s the inevitable, but dreaded follow-up:
- Can you guarantee it won’t happen again?
So if your business comes under attack, what should your approach be to the media?
- Move fast. Even though you may know very little, saying something – even if it’s only along the lines of, “We’re aware of this attack and are doing all we can to establish the cause/scale and then fix it [etc…], and will update you as soon as we know more….”. This is invariably better than silence, while you wait to find out more.
- Don’t just think “IT problem”. A cyber attack is an attack on the whole business – as we saw from WannaCry, it can affect patients’ scheduled operations and stop car production lines. Make sure the relevant executives – from HR to Legal – are all trained to face journalists. (And train the next layer of management, in case board members are on leave/at a conference/off sick.)
- Be honest. For example, if you’re asked how long you’ve known about a data breach and you know the answer, don’t obfuscate. If you refuse to give a clear response, someone else will, and you’ll go from looking evasive, which is bad enough when customers feel their personal details might now be in the hands of criminals, to looking downright dishonest, which is disastrous.
- Use the media to ease the crisis. Interviews can convey critical information to the masses and take the pressure off helplines, as well as win public sympathy and build up a crucial bank of goodwill. They also lessen the likelihood of the media “buttonholing” other employees, who might say something like, “This doesn’t surprise us at all – we’ve been warning management about poor data security for months!”. Ouch.
- Ditch “tech speak”. The more techie the crisis, the more you need to “speak human”. So don’t say, “It could have a material impact on our business,” if you mean “Some parcel deliveries might be affected”; instead of, “This has seriously compromised our functionality,” say, “Unfortunately, we’re not able to do much of the work we usually do”; and rather than “We’ve been analysing the binary,” simply say, “We’ve been checking the software for problems”. Last week we heard several internet security experts talking on TV about “exploits”. The vast majority of people – including us – have no idea “an exploit” is a piece of cyber software. Such terms can make you look arrogant and aloof – the last thing you want when things are already grim.
Facing the media after cyber attack can feel like the stomach-churning corporate equivalent of accidentally dropping your smartphone – containing all your wedding photos and images of your children’s birthdays on it – into the ocean…before you’ve been able to copy them.
But having the knowledge to talk to the media in the right way is like realising a) you’d put a waterproof cover on it and b) you can reach down and scoop it up from the waves.
You can’t always predict the disaster, but you can plan your recovery.