Cybercrime is evolving and on the rise. In 1994, a hack on Citibank’s network resulted in the bank paying over $10 million to a then-unknown cybercriminal. That event kicked off almost three decades of cybercrime that has only increased in volume and complexity. In 2020, when COVID-19 accelerated businesses and other organizations’ moves online, whether they were ready or not. In the last two years alone, we have seen an exponential growth in cyber threats – punctuated by notorious ransomware attacks on SolarWinds, one of the largest information technology firms in the country, and Colonial Pipeline, which impacted millions on the East Coast. Even small towns in Texas were hit by cyberattacks.
Report after report now outlines cybercrime as one of the leading threats against business today. For organizations across the globe, cyberattacks are no longer an “if” but a “when” and should be planned for accordingly.
If no business or organization is exempt from this looming challenge, how do you ensure you’re prepared?
Beyond implementing necessary technical and risk mitigation efforts, a comprehensive communications strategy should be developed and implemented. Not only does effective communication support immediate crisis needs, but it can also mitigate long-term reputational damage.
With that in mind, let’s dig into where cybersecurity stands today and six best practices to ensure you’re communicating effectively after an inevitable attack.
According to the Identity Theft Resource Center’s (ITRC) 2021 Data Breach Report, the number of publicly-reported data breaches last year hit an all-time high. More than 1,860 breaches were recorded in the U.S., surpassing 2020’s total by 68%. Plus, the rapid digitalization of the world – in 2022, The World Bank estimates that annual total internet traffic will increase by about 50% from 2020 levels, reaching 4.8 zettabytes – means more data than ever before is available for the taking.
While there is heightened awareness about the threat posed by these crimes, many companies are still insufficiently prepared. According to Mimecast’s 2021 State of Email Security Report, almost two-thirds of businesses suffered a ransomware attack in 2020 alone, and 79% of companies were hurt by their lack of cyber preparedness.
Beyond negatively impacting reputation, both internal and external, cybercrime takes a heavy financial toll. In 2020, organizations experienced six days of downtime, on average, when experiencing ransomware attacks (double the amount of time experienced in 2019). Cybersecurity Ventures, a leading research and reporter on the global cyber economy, predicts that ransomware alone will cost its victims around $265 billion (USD) annually by 2031, with a new attack taking place every two seconds. Globally, the total impact of cybercrime will be an estimated $10.5 trillion annually by 2025.
Most organizations now maintain some level of cyber insurance coverage to protect them from these mounting costs (in many cases, this coverage explicitly includes crisis communications services). However, with the rising frequency and financial impacts, cyber insurance policies are trending in the same direction – S&P Global predicts that cyber insurance coverage rates could as much as double in the next several years.
Whether it be email threats, malware, voice phishing, or any of the numerous different malicious activities, companies need to be prepared for the multitude of threats on their increasingly complex information technology systems.
6 Best Practices for Managing Communications around a Cyberattack
Any effective crisis communications strategy maintains a few common truths, such as developing an understanding of stakeholder (who needs to know what, when, how and from whom) and situational awareness (size, scale and scope of an issue will trigger different levels of communication). Fortunately, these hold true when dealing with a cyberattack. Here are a few other best practices to consider when preparing for and managing a cyberattack:
1. Analyze the situation.
Not all attacks require the same level of response. Take the time to understand what happened before communicating as it will greatly impact the volume and level of communications necessary. While it is often hard to tell if sensitive information was “taken” or merely “seen” by cybercriminals, if there is evidence of the former, a more urgent and aggressive communications posture could be necessary. Additionally, a data breach in which PHI (personal health information) or PII (personal identification information – e.g., social security numbers), are accessed, such as what happened in 2015 to Anthem Healthcare, represents a serious breach of information and poses a substantial threat to the company, its partners and customers. In Anthem’s case, 80 million individuals’ data were put at risk. After discovering the attack and launching an investigation, the hospital took one week to gather the necessary information and develop a suite of materials, including a holding statement, landing page with FAQs and a hotline for customers, to address the situation. Alternatively, a ransomware attack in which a small volume of historic documents with no PHI or PII are taken hostage represents a much less meaningful threat to a company’s customers and future reputation. In that case, the company will still need to take the time to work with investigators to identify details of the attack before communicating. Once confirmed that attackers did not access PHI or PII, the company can move forward with developing and delivering a more targeted and limited set of communications materials.
2. Work with an established crisis team.
Ideally, prior to any breach you will already have a clearly defined and cross-functional team in place, including personnel from communications, legal and information technology departments. Each department or individual will need to have ownership of unique responsibilities in the event of an issue. For instance, one significant role for counsel will be to escalate and ensure proper disclosure to federal and/or state authorities and to ensure compliance with the most restrictive state laws, a step required for nearly all cyber threat incidents. Many state laws differ on the subject of cyberattacks; therefore, it is best practice to build communications around the most restrictive state law requirements. Information technology representatives will want to work closely with any forensics firm to conduct a rapid, but more importantly thorough, investigation of the incident. This individual may also serve as a key spokesperson to internal and external stakeholders, so he or she should be prepared with message training early.
3. Consider your stakeholders, both external and internal.
Victims of any attack (e.g., customers, vendors, partners, employees, etc.) will certainly be the primary audience initially. You’ll need to share the facts of a cyberattack as you have them, any pending investigations, and be prepared to respond with questions related to present and future impact. However, it is imperative to reflect and include all stakeholders. For instance, if a breach focused on customer data, and therefore customers were the primary affected stakeholders, a communications plan should include an employee-focused response, as well. Employees can be one of the entrance points attackers may use to access a system and company information. Whether or not employees are primary victims of an attack, this internal group represents an essential stakeholder when communicating both about a present attack, as well as future mitigation steps. Ideally, you’ll be communicating with employees well in advance of any attack via trainings and regular cybersecurity updates, too.
4. Be transparent, helpful and empathetic.
Cyberattack investigations take considerable time to resolve, many times months. Because you may not have all of the details of an investigation immediately – or, in many cases, ever, it is essential to communicate the facts, without speculation, and to provide solutions and directions for those impacted. In crafting ongoing communications about an issue, ask yourself is the information clear and factual? How about helpful? Do you present the company as understanding and empathetic? For instance, in most cases, a company will provide at least one year of complimentary credit monitoring and encourage victims to contact their banks and insurers as a way of showing support.
Keep this in mind not only for written communications. Are talking points for customer service personnel, who are responding to inquiries, conveying appropriate empathy and transparency? Are your spokespeople providing this in media interviews? Are executive leaders and managers effectively disseminating information to employees and working to maintain morale? No matter the size or scope of the issue, the attention is on your company during these times of crisis. Make sure that communications at every front convey both sincerity and calm.
5. Be mindful of post-crisis communications.
Unfortunately, crime sometimes begets crime. After a cyberattack occurs, especially if that attack impacts a large number of individuals, victims can fall prey to additional scamming attempts. Phishing emails come through with information about credit monitoring services, or victims receive phone calls with “urgent” news about the attack that requires a credit card number. It leaves victims feeling continually vulnerable, and therefore, companies must ensure they are explicit in how they are communicating with those impacted. For instance, if you are offering credit monitoring services, spell out exactly how and when impacted individuals will receive information about how to sign up, so they can avoid any questionable emails should they come through.
6. Have a plan in place before the crisis hits, but also learn and re-evaluate.
Nothing helps quite as much as having a thoughtful and strategic plan in place. Before the crisis occurs, audit your risk profile and potential areas of vulnerability, analyze audiences, map out situational language, identify key decision-makers and spokespeople. All of these steps will ensure that when the fire hits, your communications materials are founded in a clear, well-thought-out strategy. But every situation is unique. Following the issue, be sure to re-evaluate the plan. Were the communications tools effective at clearly informing victims of the details of the situation? If the attack resulted from an employee clicking on the wrong email link, what new trainings need to be implemented? Be curious. Greater awareness of the vulnerabilities of a strategy will only help in strengthening the plan for future inevitable issues.
It’s clear, cyberattacks are only going to increase. Even if your company is prepared technologically against a threat, is it prepared to communicate effectively? Assessing vulnerabilities and putting a communications response plan together are the key initial first steps. They could all make the difference in ensuring your company’s reputation is seen as responsible, trustworthy and supportive when an attack comes.