The number and severity of cyberattacks on companies and public institutions have continued to grow at an almost frightening rate, both nationally and internationally, in the second pandemic year. One can rightly speak of a “digital pandemic of our time”: According to a study by the digital association Bitkom, nine out of ten companies surveyed said they had become victims of cybercrime in the past twelve months. There has been a particular increase in ransomware attacks, in which company data is encrypted and often stolen in order to subsequently extort a ransom. According to Bitkom, the damage caused by ransomware alone more than quadrupled by 358 percent in 2020 and 2021 compared to the previous years 2018/2019. One in eleven companies (nine percent) now sees its business existence threatened by cyberattacks.
At FleishmanHillard, we have provided communications advice and support to numerous companies in acute cyber crises over the past two years – from small medium-sized enterprises to global players. Even though ransomware attacks in particular often follow a similar pattern, the organizational conditions they encounter in the attacked organizations can be highly diverse – not least in the area of corporate communications.
A cyberattack is a special crisis situation because it typically affects all areas of the company and many different stakeholders at the same time. In this case, professional crisis communication is all the more important. From our experience, ten “golden rules” of cyber crisis communication have emerged, which those responsible for communication in any organization should urgently observe – and not only when the emergency has occurred, but as early as possible.
1. Get the right partners on board – and do it early.
Even in “peacetime”, you should check whether you have the necessary resources and expertise in-house to respond quickly and appropriately in the event of a cyberattack. This applies not only to your IT department, but also to the legal and communications departments, as well as the specialized areas of forensics and recovery. A large-scale ransomware attack in particular is an exceptional situation that a company can hardly handle alone in terms of its complexity. It is therefore advisable to get professional, external help on board in advance. Insurance companies with appropriate cyber policies can usually assemble a team of experts consisting of IT forensic specialists, legal advisors and crisis communication experts within a very short time in the event of a loss. These are often already well-practiced as incident teams and network partners and bring outstanding added value and support very, very quickly. Check which specialists and external helpers your insurance company has in its repertoire, and get external recommendations early on if necessary. Make sure that these partners are actually available for you 365/24/7, nationally as well as internationally.
2. Ensure that corporate communications is at the table in the crisis team.
Every organization should have a Cyber Incident Response Team (CIRT) that includes a senior communications leader. This helps bridge the gap between IT, legal, executive management, and external partners, and ensures that the communications team always has up-to-date and reliable information from IT forensics and recovery in a dynamic situation. Fast access to this is essential in a cyber crisis, as it is the prerequisite for transparent and consistent communication, both internally and externally. It is also an important basis for strategic decisions in communications planning, including the assessment of necessary and necessary communications measures and the development of the recovery story.
If the CIRT does not have a formally defined role for a senior communications person, crisis communications for the entire organization will inevitably suffer in terms of strategy, content and also timing.
3. Be prepared – prevention and training are Key!
The three secrets of professional cyber crisis communication are: Preparation, Preparation, Preparation! Use the aforementioned “peacetime” to take all precautions for various crisis scenarios already now. This includes intensive training of the crisis team or crisis communication team, e.g., in the form of a crisis simulation by CIRT: Play out a cyber crisis completely, do a gap analysis to determine where gaps still exist, be it in terms of communication (for example: What languages do we need to cover? Do text modules exist for various scenarios and escalation levels?) or in terms of IT – for example, is there a prioritization of servers for system recovery or even externally stored backups or cloud solutions? Clarify roles, task distribution and responsibilities within the task force and practice them in advance. After all, just like in sports, practice makes perfect in a cyber crisis!
At FleishmanHillard, we have developed and globally implemented a complete process for the professional preparation of a crisis management team, including crisis communication. We call this methodology the A.R.C. process: Assess – Resolve – Control. It starts in the Assess phase with an audit and gap analysis, followed by the development of crisis response processes as well as communication materials for different crisis scenarios. This is followed by an introduction and training phase (Resolve) with scenario-based simulations for the crisis team and, in particular, the crisis communications team. In the final Control phase, these processes and materials are continuously checked for up-to-dateness and optimized; in addition, FleishmanHillard is available with a 24/7 crisis communication hotline and more than 160 A.R.C.-certified crisis consultants in more than 80 offices in 35 countries, guaranteeing process reliability and crisis consulting at the highest quality level – always scalable, as needed.
4. Be up-to-date on compliance and regulation.
It is critical that the Chief Communications Officer is familiar with the regulatory requirements for data protection and cybersecurity as well as the corresponding reporting obligations, similar to the Chief Compliance Officer. This is especially true if your company operates internationally: In addition to the EU General Data Protection Regulation (GDPR) or the UK Data Protection Regulation, both of which require reporting to the relevant data protection authorities within 72 hours in the event of a personal data breach, there may be more extensive reporting requirements. For example, in the U.S., publicly traded companies are required by the Securities Exchange Commission to file a Form 8-K to report “material events of which shareholders should be aware,” which includes a cyberattack. Failure to comply with this requirement can result in fines and other penalties. In addition, there are planned regulatory changes that intervene by law in a company’s information and communication obligations – these must always be monitored, because country legislators have also recognized the increasing international threat of cyberattacks and plan to become more active in this regard in the coming months and years. Whether through requirements to negotiate with extortionists or to make payments or prohibit payments of extortion money: The range of influence by legislators varies from country to country, as do – linked to this – the specifications by insurance companies in the different countries.
5. Establish independent communication channels to your stakeholders.
Have you ever thought about how to reach your employees, customers and business partners when your email system stops working? When you can no longer access address books and the telephone system is also out of action? In this case, you need alternative communication channels to keep in touch with your stakeholders and disseminate information quickly and effectively – especially in crisis situations. Companies should therefore also consider cloud-based platforms that are independent of their own IT, enable communication in both directions, and can be put into operation quickly at the push of a button if necessary.
6. Use digital tools – but keep analog alternatives up your sleeve.
Reachability and availability are the prerequisites for remaining able to act in the event of a crisis. In addition to separate e-mail platforms, mobile employee apps are also ideal for this purpose, especially in internal communications, as they allow employees to be reached on the move regardless of their location. You should also clarify in advance how you can reach employees in the home office by phone or e-mail outside of the company’s own channels – here it is important to observe any company agreements and, if necessary, to involve the works council at an early stage in the event of a crisis. If your company has employees on the shop floor who cannot be reached directly by telephone or e-mail, you should also consider analog means of communication in advance. In addition to (Corona-compliant) team and townhall meetings, these can also be simple notices or paper copies.
7. Have your messages ready
Yes, every crisis is different. However, there are many things you can prepare to help you respond more quickly in a crisis situation like a cyberattack. Preparation is key – but have you considered the needs and requirements of all your stakeholders and key audiences? Do you have templates for employee and customer information – and if so, for different escalation levels? What about press releases, holding and leak statements – depending on whether your communications strategy is in reactive or active mode? From experience, it’s much easier to start with about 70 to 90 percent of texts already prepared than with a blank sheet of paper – especially if you need legal advice or special, internal approvals for them, for example from specialist departments or data protection. Use the time now for crisis prevention and professional precautions while the situation is still calm. In the event of a crisis, things will get hectic, and the general pressure as well as the time pressure will increase immensely.
8. Pay attention to the right language – and prevent “undisciplined” communication.
Particularly at the beginning of a cyber crisis, the further course of communication can depend quite significantly on what is communicated, how and when. Rash, ill-considered communication usually does more harm than good. It makes a huge difference whether a CEO publishes directly via Twitter “We have been hacked – I am already in contact with the blackmailers”, or whether the company website announces “There is currently an IT disruption due to maintenance work”. The impact of the right words and messages is significant. Any message, whether it is delivered via email, a company spokesperson, social media or a press release, must also strike the right balance to address the key concerns and issues of those affected. In doing so, of course, it must not reveal too much to the attackers, potentially inciting them to further activity. How or when the company communicates can likewise have a direct impact on ransomware – one way or the other. Negotiation tacticians or individuals with negotiation experience should be involved. Again, get professionals on your side for these cases.
9. Determine the narrative – sit “in the driver seat” of communications.
In an ongoing cyberattack, there are more unknown variables than known. As the communications officer, you are the central source of information internally and externally – take advantage of this to put yourself in the “driver seat” of communications. Everyone will listen to your messages about current developments and status, whether they are positive as operations are restored moving forward or negative as new escalations occur – but you should be in control, steering and navigating the story. This makes it even more important that you always have the latest forensics and IT recovery insights.
10. Learn from the crisis.
After the crisis is before the crisis. Once the cyber attack has been successfully averted or ended and the IT systems have been restored, the crisis team or CIRT should directly draw the most important lessons and insights from all areas in order to emerge from the crisis sustainably stronger. Often, companies can even make a virtue out of necessity and use the “momentum” of the crisis to tackle further, often long overdue measures. These can include the introduction of additional IT security measures such as multi-factor authentication, IT security and data protection training for employees, the creation or updating of crisis manuals, media and crisis training for press officers, and the creation of social media or communications guidelines. In other words, everything that helps to get through a crisis even more stringently and consistently – or even better: to avoid getting into such a crisis in the first place.
In view of the ever-increasing threat situation, it is now less a question of whether a company will become the target of a cyber attack, but rather when. Therefore, it is essential to create and continually re-establish a deep awareness and understanding of IT and data security in the corporate culture. Communications, HR and IT departments should work closely together to set up appropriate training and information programs so that cyber security is lived and always present in everyday corporate life.
For business-relevant communication content like this, why not sign up for our newsletter “FleishmanHillard Quarterly”, follow FleishmanHillard Germany on LinkedIn, get to know our team on Instagram or visit our YouTube channel.