Suffered a cyber attack? Are you ready to face the music?
A mere six months ago you were a small ‘widget’ manufacturer based in the West Midlands. A family business, now in its third generation. The company had provided well for you and your family for as long as you can remember. You prided yourself on your craft and the high quality of your workmanship. Then something changed.
It’s all a bit of a blur now, but you were approached by a major brand in the USA to make a small well engineered sensor for a forthcoming market changing gadget. You jumped through all the hoops, all the due diligence and then ramped up production to meet this amazing opportunity.
The problem is that as a sub-contractor for ‘that client’ your company has now attracted the attention of others who are determined to learn the details of your design, understand your contract with ‘the client’ and see if in any way you are a weak link in a supply chain that if compromised would embarrass ‘the client’ who is one of the worlds most respected companies. Their determination has paid off, you have been breached and data that was labelled ‘company confidential’ and contained both your intellectual property and that of ‘the client’ is now starting to surface on the dark recesses of the un-Googled web.
It’s time to come clean, it’s time to admit to this failing, it’s time to let those who need to know : know. But who are you going to tell? And exactly what are you going to tell them? Welcome to the world of crisis communications, the prepared public mouthpiece of a cyber breach.
During the major TalkTalk breach of 2015 it was evident that the CEO, Dido Harding, was placed in front of the media without the correct amount of briefing. Leading to exasperating the crisis further. Companies of all sizes need to understand that the faintest whiff of ‘cyber’ ‘hack’ ‘attack’ or ‘breach’ are toxic. The media love them, but your customers and your employees hate them. If unprepared and should the worst happen, then there is a strong possibility that the company will lose reputation, customers and generate an internal fear amongst its own staff that things are on the slide.
So how can this be prevented? Simple planning. In this instance you don’t need any fancy technology or large risk assessments, you need to pull together a team from your CEO, Marketing, Operations, IT, and probably your legal representation too. If you need these meetings to be facilitated then discuss with your existing PR representation team, if you have one, and pull on their expertise. If not, then there are plenty of free resources on the web on how to structure a crisis communications plan. They cover everything from anticipation, through to roles and responsibilities, timings and monitoring of how the news spread.
As you plan no topic, no disaster, no situation should be off topic. From the loss of data, through to victims of fraud all require discussion and a plan of what to say should they occur. What if you discover that your cyber woes are caused by a privileged insider, a rogue employee? How would you communicate that to your staff? No matter how unpalatable, it is better to play out these scenarios internally and hopefully never have to use them, rather than wait until a situation arises and allow panic to ensue and inaccuracies to spread.
A cyber crime will occur fast and in many cases the victims are not the first to know. Therefore, timing is critical. Your company could get a call from a competitor, a supplier, a customer or even an employee asking questions regarding a breach. If not answered, then rumours will spread and thanks to digital communications they spread fast. Having even the most basic media statement prepared – ‘There is a possibility that our security has been breached. We are currently investigating the validity of this claim and will release our findings within the next 24hrs’ – buys a company time, but for the unprepared it may not be enough.
If you do go through this exercise of crisis communication development it can also act as a catalyst for uncovering some weak points in your current security. Which may be a good, or bad thing depending on your view point.
The biggest challenge of all is accepting that this exercise is going to cost time, and cost money and will require regular reviews and ongoing management and overhead that many may be unwilling to take on, especially as the result of all this work may never see the light of day.
But what would you prefer? To prepare and never use it, or to be unprepared and then one day be faced with a barrage of questions to which you simply don’t have an answer? That would be a crisis.