Chris Butler, Principal Consultant, Cyber Resilience and Security, Sungard Availability Services
To quote Warren Buffet, it takes 20 years to build a reputation and five minutes to ruin it. Years later, in our “always on” world, I would wager it can take less than five minutes to incur damage to your image. We are unable to open the newspapers or turn on the television without bearing witness to the latest victim of a cyber-attack.
In a world overwhelmed by social media, news of such a disaster can go international in the time it takes to say ‘cyber-breach.’ And the potential fall-out of a crisis? Damage to your businesses’ reputation, negative effects on share price and a detrimental impact on staff morale.
If a data breach takes place, organisations must be in the position to communicate information instantaneously and precisely to all parties affected – customers, partners, vendors and staff. However, crises are unique and unpredictable, and can go beyond what you’ve planned for. How can organisations be best placed to respond accordingly?
There are two types of communication that are needed to support a crisis management programme. Both require sufficient preparation to ensure a swift and appropriate response in times of crisis, and that those impacted are kept in the loop by business leaders – not a random social media post.
Also of interest: Phishing - what's next?
1. Pre-defined messages:
These should be the cornerstone of any good crisis management programme and are crucial to avoid wasting time deliberating on what to say as the crisis unfolds. But how do you go about developing them? Organisations need to dedicate time to identifying potential scenarios, developing the appropriate messaging templates and selecting appropriate communications channels for each situation. It is recommended to carry out a comprehensive stakeholder analysis to identify the parties who will need to be informed as a priority, and what they need to know. Constructing and clearing provisional statements in advance will place your business in a much stronger position to respond quickly and accurately.
Also of interest: Cryptocurrency hacks, hacking the unhackable
2. Tailored Response:
Tailored responses are unique to a particular crisis. While it is not possible to prepare for every single crisis outcome, this does not justify neglecting foresight, groundwork or planning. As the saying goes, an ounce of preparation is worth a pound of cure. Carrying out simulation exercises to educate and train crisis teams, familiarise them with possible outcomes, and uncover opportunities and gaps in their programme(s) will help them develop a readiness mentality. This then places them in a much stronger position to manage threats to their organisation.
It’s crucial to enlist a crisis communications team, led from the board, embedded at the heart of your business and possessing a sound understanding of the risks and threats posed to the organisation. However, in a crisis the onus is not just on the defined crisis communications team. Senior management will need to be media trained to respond to untoward situations to reduce damage to business brand, to keep staff feeling focused and motivated and to engender confidence amongst stakeholders. They will be a vital conduit to creating market goodwill while the business establishes the nature and scope of the threat; re-instates or bolsters systems or operational integrity and redresses any customer impacts.
Weathering a crisis will depend entirely on your organisation’s ability to arm itself and remain level-headed when the time comes. Businesses who deliver well-considered communications in the event of a cyber-attack will be the ones to demonstrate foresight and agility; re-positioning themselves as a stronger and more resilient force.
Also of interest: Biometrics - security through personality