Thomas Graham & Reg Harnish co-authored this article.
Cyberattacks present media with the type of drama they crave for good headlines. They also present an interesting psychological phenomena: on one hand, they’ve become part of the world in which we live; on the other, each headline can set the public into cyclic worrying. Is my financial information safe? Will I wake up in the morning with an empty bank account? Has my identity been stolen? To your business, it’s an organizational crisis. To your customers, it’s personal.
The affected company scrambles into action. It soon declares the problem “fixed,” perhaps offers assistance to any stakeholders dealing with the aftermath, and the public moves on, some believing in the “new” level of promised security and some moving their business — and their data — to the competition.
And then the next attack happens.
A cyberattack is also a PR crisis; its potential impact must be considered in your communications program. Many customers and stakeholders equate cybersecurity with the best software program, government-standard data encryption, or lax human resources and physical location policies. In their minds, a cyberattack is you breaking your promise; it has become a violation of their trust in you. You risk a breach not only to your data, but your reputation.
There are three key rules in the cybersecurity realm.Rule #1: you will experience a breach; rule #2: cybersecurity is less of a hardware or software issue, and more of a human, psychological issue; rule #3: the most effective response for protecting your reputation and your business is proactive planning for both cybersecurity and crisis communications.
You will experience a breach
Like any crisis, cyberattacks occur with varying levels of severity, from a virus causing various degrees of harm, to major enterprise breaches and stolen data. According to CRN, data breaches were particularly big in 2015. In 2013 we had the infamous Target retail data breach that still commandeered 2014 headlines, while in 2015 government office breaches appeared to be a particular target.
How can these breaches happen? After all, our government and major U.S. businesses spend millions on cybersecurity. (Target had just completed its mandated cybersecurity attestation a few months before that major hack.) Collectively, organizations of all forms invest billions of dollars in cybersecurity and work hard to remain compliant with mandated cybersecurity measures. But the harsh truth is, the investment can’t just be in dollars, and compliance doesn’t equal security. The state of cybersecurity today is not if, but how often and what impact each attack will have on your organization.
The truth is, compliance, whether voluntary or mandated, can be a distraction, giving organizations and their stakeholders a false sense of security. The best security programs guarantee compliance, not vice versa. Do you understand the gap between your compliance program and your ideal security program?
The reality is that compliance makes you feel secure when you’re not.
Cybersecurity is a human issue, not a technology issue
The best cybersecurity program is a process, not a piece of software. Seven out of 10 cyberattacks will get by any software, and none of them adequately compensate for human error. Your CIOs likely know this. Investment in hardware and software is important, but the greatest risk to your organization is the people within it. You must move people to the top of the cybersecurity assessment and management list.
But then what? How do you protect against your own people?
You should consider your security vendor to be nothing short of bodyguards for your organization. And in order to adequately protect you, they have to perform an assessment.
It may require more automation for your organization, or more external control. The fact is, you have to know what’s important in your organization in order to know what to protect. And a good security program never protects you against just one thing.
The goal is not 100 percent security; the goal is minimizing the impact of a cyberattack so that you don’t become the next headline. Either scenario — headline-making or caught and kept internally — requires a cohesive response scenario for all of your assets.
Cybersecurity must include crisis communications preparedness
Like most PR firms that offer crisis communications counseling, our agency preaches proactive crisis preparedness.
While protecting data is paramount, organizations can’t overlook the threat an attack can pose to its reputation. A proactive and continuous approach to cybersecurity works in concert with a proactive and continuous crisis communications plan.
We take a four-phase approach to crisis communications, using a continuous process called CPR-PLUS that works in concert with a cybersecurity process.
Phase I: planning
We conduct a risk assessment that includes the potential crisis scenario of a cyberattack. With your cybersecurity team, we are able to more accurately pinpoint the likelihood of a high-or low-impact scenario and the speed at which it could escalate.
This is also where we identify the appropriate key messages and crisis team for a cyberattack scenario, including a spokesperson. For cybersecurity, external crisis response teams can better neutralize an internal issue that may have led to the breach, while your spokesperson informs stakeholders, whether internally or publicly.
Phase II: practice
This is like your family’s fire-drill: the more you practice, the more time and assets you can save if and when a fire occurs. Conducting these “drills” with your cybersecurity team is critical to an appropriate communications response. It allows you to see how quickly you can assemble your response teams, and how long an appropriate “fix” can take. Practicing your response interjects authority into your response. It signifies preparedness, which engenders trust. People want a solution, regardless of the problem.
Phase III: response
Then the cyberattack happens. This is where your cooperative plan must work seamlessly. The cybersecurity team is being dispatched to perform “incident triage,” including securing the crime scene. Your response has to allow this and other steps to occur prior to making any statement. Fix the problem, then talk about it.
Other steps in the cybersecurity response include forensics, investigations, reporting the breach to the proper authorities, preparing management for legal issues and managing the IT staff.
Someone on your communication crisis team needs to understand these steps without getting in the way, incorporating activities and findings into appropriate backgrounders and FAQs as appropriate. You must be transparent and honest with your stakeholders without revealing information that can potentially contaminate the cybersecurity investigation. You can’t perform this delicate dance without cooperative pre-planning and rehearsals.
Phase IV: recovery
Your recovery is as important as your response; the PLUS in CPR-PLUS represents Public Leadership Under Stress. Your communications with whatever stakeholder level has been affected must continue, while simultaneously performing an internal review of your crisis action response. Conduct this from a communications standpoint, but also with recommendations from your cybersecurity team and make the necessary adjustments to both components.
When it comes to cyberattacks, there are two types of companies: Those that survive in the current environment of constant cyber threats, and those that don’t. Joint preparations between your communications and cybersecurity teams, and maintaining cybersecurity as a continuous process, can minimize the impact an inevitable attack might have on your organization.
It can keep you out of the headlines, and protect your reputation.
* * *
Thomas Graham is CEO of Crosswind Media & Public Relations. Reg Harnish is CEO of GreyCastle Security.