How to Contain PR Fallout from a Cyber-attack

Fusion PR works extensively in the cyber security space. We are often asked about how to handle the PR fallout from breaches. What are the similarities and differences with other kinds of crisis management?

I decided to answer these questions in this post, with input from our team.

Like other PR Crises?

A cyber-attack is a special kind of crisis. It has some things in common with other types (e.g. product liability, malfeasance) in that the company’s reputation can also be at stake.

But by their nature problems related to cyber-security and data leakage can be more challenging to understand and contain.  It is not always easy to know the cause, the damage or even where and when the problem begins or ends.  They can be insidious, confounding and always seem to find new ways to bedevil.

As such, these incidents add wrinkles to the traditional crisis management playbook.

The Role of PR in Cybersecurity

PR can and should play a vital role. Unfortunately, most companies take an overly cautious and defensive approach when it comes to communications. They are reluctant to go public in a positive and proactive way about the measures they are taking to protect their networks and data (see my post We’ve been Hacked! Call the Press). And they may say the wrong thing or not enough after an attack.

When an organization is attacked, assuming it is significant (not the everyday attempt but real damage has happened or is underway), the PR team should advise the client (or employer, if in-house PR) to respond according to the tenets of crisis management.

That means moving quickly to gather the facts and implement a crisis management plan.

The Crisis Plan

One of the best ways to limit the fallout is to be proactive and vocal, sooner, rather than later.

If it is a major breach, word will get out and the potential damage to brand and reputation will be compounded (and possibly open the door to legal penalties).  You need to be transparent and address the concerns of all stakeholders (customers, shareholders, employees) early on.

There can be a life cycle to these things that requires different statements at different times. E.g. if it is a major attack, do you say anything if it still is happening and/or before damage has been contained?

An example that comes to mind is the recent wave of ransomware attacks – if a company or government is being extorted, should there be public statements before it has been resolved? Again, the rules of crisis management and even hostage negotiations can come into play.

In general, you need to act quickly and transparently (guided by the crisis plan and with input from the CISO, PR team, legal advisors and C-level execs).

Piecemealing information is a way to prolong the PR pain – it can be like death by 1000 paper cuts. Boilerplate responses should be avoided.

How to Prepare

Organizations should have a crisis plan in place that includes specific measures for breaches and other cyber-attacks.

Plans should spell out things like crisis team, process, stakeholders, communications channels and include specifics (e.g. contact details, links) – so that you don’t have to hunt the details down when an actual crisis such as a cyber-attack occurs.

The plan should be deployed at the first sign that trouble is brewing – even if it is a false alarm, it is better to be ready.  On that note, good crisis plans include steps to pre-empt real crises.  That means anticipating vulnerabilities, taking steps to limit exposure and practicing via simulated scenarios to ensure readiness for when one occurs.

A good plan will help mitigate backlash, but it may be impossible to completely avoid this if there were egregious errors and extensive damage.

Other Thoughts

Several members of our team chimed in with additional thoughts, see below. And what do you think? Please chime in!

As is true for any other crisis – tell the truth, tell it fast, tell it all.
Also, some things must be done simultaneously – monitor all social media channels to address customer concerns, identify rumors and counter them, offer updates in regular intervals…

Ruchi

I think there’s an argument on saying too much too soon vs. saying too little too late. And as far as putting a plan in place so it doesn’t happen again, don’t make promises you can’t keep, that’ll make things even worse.

Brian

The main concern of cyber crisis management is ensuring that the customers know what to do and feel safe. Tell them to change their passwords or give them a place to go to see if their data was affected. Let them know what you’re doing to make changes and how the breach happened in the first place. It’s important to show compassion and customer care for the victims rather than blaming the breach on somebody else.

Mark
This entry was posted in Campaign Analysis, Crisis Management, Current Affairs, PR, Public Relations and tagged , . Bookmark the permalink.