Technology is always changing. We’ve updated this article to reflect the latest best practices. (Originally published on October 14, 2020.)
The U.S. Department of Homeland Security and the National Cybersecurity Alliance have designated October as National Cybersecurity Awareness Month, and cybersecurity is currently top of mind for companies spanning virtually every industry. Unfortunately, communicators know that when it comes to data compromises, it isn’t a matter of “if” but “when.” It is never too early to think about how your company will communicate both internally and externally in the event of a breach.
A recent survey queried business owners and IT professionals about their 2022 cybersecurity plans, priorities, and budgets. Findings include:
- Only 50% of U.S. businesses have a cybersecurity plan in place
- Of those, 32% haven’t changed their cybersecurity plan since the pandemic forced remote and hybrid operations
- The most common causes of cyberattacks are malware (22%) and phishing (20%)
- Cybercrime cost U.S. businesses more than $6.9 billion in 2021, and only 43% of businesses feel financially prepared to face a cyber-attack in 2022
Cybersecurity communications often gets lumped in with crisis communications given the urgent nature of a breach and the heightened potential for high-profile reputational risk. However, when a company is compromised from a cybersecurity standpoint, the communications team will likely need to engage with an entirely different universe of players and may need to trigger additional protocols.
“…when a company is compromised from a cybersecurity standpoint, the communications team will likely need to engage with an entirely different universe of players and may need to trigger additional protocols.”
Think through your cybersecurity communications strategy in advance. Use your existing crisis communications approach as a base, and layer on a cybersecurity-breach framework with the additional details. Keep the following in mind when tackling your cybersecurity communications preparedness plan:
Sit down with your CISO (chief information security officer) or CSO (chief security officer) and discuss the possible scenarios that pose a threat to your company. Think through each possible threat and identify the internal and external audiences who will be impacted. Whose data was compromised? Your colleagues on the technology side (led by your CTO), might already make it a practice to run through these scenarios to test their systems infrastructure. If possible, get a seat at the table for the next drill to be more familiar with the teams and the protocols.
A cyberattack could trigger a host of disclosure protocols that the communications department will not fully understand without talking to the legal department. Does law enforcement need to be notified? Is it a ransomware attack, and can the criminals be tracked? Is the breach part of a larger campaign being perpetrated globally? What are the guidelines in terms of public disclosures? What is the timeframe for notifying customers during an investigation? Think through these questions now because when the breach is upon you, some actions will have to occur immediately.
Cybersecurity attacks could merit positioning spokespeople who are not typically the face of the company in a crisis. The CISO may be better suited to field technical questions and concerns about the future security of the company than the CEO. Or, it may be best to utilize both the CEO and the CISO depending on the media outlet and the gravity of the situation. Prepare spokespeople in advance who can address the technical security questions. This means formal media training, and also engaging in low-stakes practice interviews as often and as early as possible. You don’t want the spokesperson’s first interview to be the one where everything is on the line.
It is likely that your company’s threat management, detection, and response initiatives are bolstered by a team of vendors behind the scenes. Be aware of these entities and how they work with the technology experts at your company. It is likely that these vendors will be major players when something goes wrong, and you’ll need to understand the relationships and, in some cases, have a point of contact there to coordinate and clarify messaging for internal and external communications.
A solid cybersecurity communications strategy is one of the most important weapons you have to deal with an attack. Be prepared by taking your crisis communications plan and training to the next level. Be knowledgeable about the players and protocols to stay one step ahead of the inevitable data breach.