Cyberattack! Now what?
Five public relations experts offer advice
PERRY BEEMAN Dec 12, 2017 | 8:10 pm
9 min read time2,052 wordsBusiness Record Insider, Tech & Innovation
We read about cybercrimes — some rising to the level of attack — all the time. Department stores, government agencies, universities, private companies and others are hacked, and students, customers and clients are put at risk of losing critical private information.
In some cases, the criminals demand ransom. In others, crooks try to use our personal information to charge items. I’m not sure how the person who was wandering around Connecticut got my credit card number about the time I was visiting Orlando, but I had to get a new card and go through changing all my autopay information after the credit card company caught the failed theft attempt.
That was the personal side. An attack on Target or another large operation can leave thousands of people at risk.
We know the problem is there, and we’ve talked about and written about how to prevent these types of attacks. This week, we thought we’d explore what you and your business should do after a cybercrime.
We asked five Greater Des Moines public relations professionals to pass along advice. Here are their lightly edited responses.
Executive director of public relations
If the last couple years have been any indication, it is only a matter of time before any business — large or small — will experience some sort of cyberattack. The best defense is a good offense. Every business needs a continuity plan in the face of an attack, and communications must be a critical part of that plan. When developing the crisis response team, make sure to include the communications lead as part of the planning. A spokesperson needs to be identified, preferably someone very credible and good on camera.
When an attack first occurs, communicate with all customers that may have been potentially impacted as quickly as possible. Be able to explain what occurred, what is at stake and, if available, immediate steps that the clients or customers need to take in the aftermath. Customers need to understand what they need to do and what the company is doing to reduce the risk of this happening in the future. Communicating well with employees is just as critical as communicating with customers.
Have a communications strategy at the ready, with key talking points already developed, that can be shared immediately when necessary. Communications should be consistent and continual throughout the crisis — hourly the first day and then several times a day until the issue is resolved.
For the media, having a holding statement ready for distribution will save precious time early on, allowing you to focus on communicating to employees, customers and partners. Keep media updated as information becomes available to share.
By staying on top of communications, you will be able to ride out a cyberattack with your business’s reputation and credibility intact. Transparency and honesty will go a long way in maintaining a brand’s reputation.
Public relations account supervisor
The most important thing I’d convey is that there is a lot of work you can do long before an attack happens to minimize damage to your reputation. Your PR team needs to have a seat at the table when discussing potential threats and internal security efforts. A notification protocol should be established, and you should always conduct training or response exercises (something so few take time to do).
This doesn’t even touch on the power of your community engagement and corporate social responsibility efforts. I believe that building a reputation for your company that is anchored in goodwill and giving back will earn you some grace from your customers and the larger community. It won’t make you invincible, but it will earn you some grace.
Immediately after an attack there are few things to keep in mind. First, don’t assume that no one will find out and you can keep it internal. Someone always finds out. Second, get a very real grasp on the scope and scale of the attack or breach, and respond accordingly. This is where the prep ahead of time comes in handy. If you can speak the lingo and know the dynamic, you’ll be better equipped to respond with the appropriate level of concern, alarm or reassurance.
Finally, I don’t think addressing client concerns and protecting your brand are necessarily conflicting priorities. I still think honest dialogue and transparency win the day (and the dollar), even in a crisis situation.
Public affairs manager
A cyberattack threatens a customer’s feeling of safety and trust in a company. The most important thing to do after a cyberattack is discovered is to let your customers know so you can begin rebuilding the trust. Bad news is never easy to share, but how it’s shared matters. Think of a doctor delivering bad health news. The bedside manner is important, and the same goes for a company. If bad news is delivered with honesty and compassion, it is easier to digest.
I would help a client craft a short, simple statement to alert customers of the attack and let them know a full investigation is underway to determine how it happened, and the depth, to prevent future attacks. I would also recommend the company have their legal team review the statement to ensure that the statement does not unintentionally say anything that could be held against the company in court, but ensures the company is working to make things right for customers.
Alerting customers soon is critical. Even if the initial attack is not your organization’s fault, failing to alert customers in a timely matter makes you partially responsible for subsequent fallout if you did not empower your customers with the knowledge needed to update their passwords and monitor their accounts. Being open and honest with customers from the beginning shows your brand has integrity and will help regain the trust of your customers.
Following a full review of the attack, the most important action your company then needs to take is to rectify the loophole or cause. This could be upgrading your point of sale infrastructure, internal processes or data management. Your organization needs to continue to communicate with customers and affected accounts to show you take the problem seriously and are doing everything possible to prevent it from happening again.
Vice president of business development & strategy
There are, of course, different types of cyberattack risks, but one of the most common and potentially harmful to a company’s reputation involves a breach of customers’ personal and financial information. Businesses in possession of this information should absolutely make a security breach part of their crisis communications planning — they need to be as prepared for this as they are for any other emergency situation.
As with most crisis situations, if a cybersecurity breach occurs, companies should be transparent. They must demonstrate care first for the customers over organizational reputation. Any business that tries to hide a security breach or cyberattack compromising customer information is only delaying the inevitable and putting customers at risk while doing it.
These are communications steps we’d consult a client to take in the event of a cybersecurity breach:
Evaluate the extent of the breach.
If customer information has been compromised, disclose that as soon as possible — sharing information helpful to customers without compromising an investigation.
Educate customers on how to protect themselves by adjusting their own security and by monitoring their financial assets and credit. This won’t fix the breach that has already occurred, but it enables customers to take action and prevent the breach from becoming worse for them personally while the company is investigating the potential harm of the situation.
Remain transparent, keeping customers informed of developments that may affect them positively or negatively.
Quickly work with IT and cybersecurity teams to adjust or enhance security to prevent similar breaches from happening again. When the time is right, communicate enhancements to customers to earn back confidence.
Unfortunately, all of us as consumers are at some level of risk simply because of how much information we share or disclose through various transactions, particularly online. We all want to trust that organizations we do business with are putting the best security in place to protect us, and companies should continue to adjust and enhance security to avoid cyberattacks.
Companies wanting to earn and keep customers’ business must first earn and keep their trust, and transparency and customer care are critical ingredients of that.
Wixted & Co.
A cyberattack or security breach is significantly different than other crisis response challenges because the scope and impact of the breach are not immediately known. The threat is real but the extent of the exposure or compromised data will not be confirmed for days, weeks or even months. So, what and to whom do you communicate?
Recognizing that operations leads communication, we recommend a three-step process for incident and crisis strategy. Assess, act and audit. Assess: What do you know? How did you learn of the cyberattack, and from an operational standpoint, what is the company doing now to address the breach?
Act. And act now. In this phase you must develop a communication strategy, list of stakeholders, messaging, and ways to share the message — email, employee meetings, customer letters, a news release or advertisement.
If you simply know that there was a cyberattack or data breach but you don’t know the scope, develop a fact-based statement and post it on your website. Focus on what you know, the process to learn more information and what customers should do.
It is important that you publicly post the information about the cyberattack or data breach relatively soon after learning about the issue. The biggest mistake a company can make is to wait until they have the full set of facts — this means you will be notifying customers in June about a breach that occurred in January. Customers will be angry about the delay and suspect of your motives.
If you are a retailer, you may need to reach out directly to customers, provide signage at the point of sale and alert the news media so they can help share your message. If you are a professional services company or corporation where most of your interaction with your clients is through written communication, send an email or letter.
In the early stages, it is important to be factual and candid. There are more questions than there are answers, so you must commit to regular updates and provide services such as free credit monitoring services.
Companies should use their own platforms to communicate about a cyberattack or breach. This way it allows the company and their customers to receive frequent updates.
Once you have shared the initial information, you must audit. Review the customer comments, social media chatter and other narratives to learn what needs to be addressed in the next phase of communication.
A company and its clients have the same goals when it comes to safeguarding sensitive personal information. Therefore, a company must commit to do what is reasonable in terms of software and other protective measures, including training employees on how to manage sensitive data.
People are no longer forgiving of companies where laptops (where their sensitive information is stored) are stolen from employees’ cars, hospital employees snoop in medical records, or boxes of confidential information are thrown in the dumpster.
The stakes are higher. The risks are higher. Therefore, you must take tremendous care in protecting your clients’ information and then your brand will be protected.
The most important action for a company to take following an initial cyberattack is to learn from the incident. Why did this happen? What could we have done differently?
We believe it is important to conduct a root cause analysis or postmortem in the spirit of learning what you could or should reasonably have done differently. Whatever caused or allowed the original breach must be fixed as soon as possible. In addition, a comprehensive overview of all security policies and procedures should be conducted immediately; and any weak points identified must be addressed.
There will always be new threats and new challenges. But do you have the right culture so employees can identify threats before they become real?