Remote work, bring-your-own device policies, and distance learning have made us all more vulnerable to cyberattacks. The nonprofit organization Information Systems Security Association found a 63% increase in cyberattacks related to the pandemic, calling COVID-19 a “once-in-a-lifetime opportunity for hackers and online scammers.”
The U.S. Department of Homeland Security and the National Cyber Security Alliance have designated October as National Cybersecurity Awareness Month, and cybersecurity is currently top of mind for companies spanning virtually every industry. Unfortunately, communicators know that when it comes to data compromises, it isn’t a matter of if but when. It is never too early to think about how your company will communicate both internally and externally in the event of a breach.
“…when a company is compromised from a cybersecurity standpoint, the communications team will likely need to engage with an entirely different universe of players and may need to trigger additional protocols.”
Cybersecurity communications often gets lumped in with crisis communications given the urgent nature of a breach and the heightened potential for high-profile reputational risk. However, when a company is compromised from a cybersecurity standpoint, the communications team will likely need to engage with an entirely different universe of players and may need to trigger additional protocols.
Think through your cybersecurity communications strategy in advance. Use your existing crisis communications approach as a base, and layer on a cybersecurity-breach framework with the additional details. Keep the following in mind when tackling your cybersecurity communications preparedness plan:
Sit down with your CISO (chief information security officer) or CSO (chief security officer) and discuss the possible scenarios that pose a threat to your company. Think through each possible threat and identify the internal and external audiences who will be impacted. Your colleagues on the technology side (led by your CTO), might already make it a practice to run through these scenarios to test their systems infrastructure. If possible, get a seat at the table for the next drill to be more familiar with the teams and the protocols.
A cybersecurity attack could trigger a host of disclosure protocols that the communications department will not fully understand without talking to the legal department. Does law enforcement need to be notified? What are the guidelines in terms of public disclosures? What is the timeframe for notifying customers during an investigation? Think through these questions now because when the breach is upon you, some actions will have to occur immediately.
Cybersecurity attacks could merit positioning spokespeople who are not typically the face of the company in a crisis. The CISO may be better suited to field technical questions and concerns about the future security of the company than the CEO. Or, it may be best to utilize both the CEO and the CISO depending on the media outlet and the gravity of the situation. Prepare spokespeople in advance who can address the technical security questions. This means formal media training, and also engaging in low-stakes practice interviews as often and as early as possible. You don’t want the spokesperson’s first interview to be the one where everything is on the line.
It is likely that your company’s threat management, detection, and response initiatives are bolstered by a team of vendors behind the scenes. Be aware of these entities and how they work with the technology experts at your company. It is likely that these vendors will be major players when something goes wrong, and you’ll need to understand the relationships and, in some cases, have a point of contact there to coordinate and clarify messaging for internal and external communications.
A solid cybersecurity communications strategy is one of the most important weapons you have for dealing with an attack. Be prepared by taking your crisis communications plan and training to the next level. Be knowledgeable about the players and protocols to stay one step ahead of the inevitable data breach.