In October, CPRS Vancouver hosted an online professional development event about responding to cyber-attacks and building a crisis-ready culture.
Here are some key takeaways for those who missed it.
Understanding and Responding to Cyber Attacks: Shafiq Jamal
When COVID-19 forced many organizations to adopt a work-from-home model, cyber crime spiked. It’s only been growing ever since, and all sectors and organizations are at risk.
What are the most common methods cyber criminals use?
Most hackers areout to make a profit by obtaining personal information so they can access banking and credit card information.
Unfortunately, people are unknowingly giving this information away. Unintended human errors – like opening suspicious emails – contribute to 85% of cybersecurity incidents.
Ransomware attacks hold your company’s information, websites, or online services hostage until a ransom is paid. Unfortunately, most companies are finding the easiest way to resume operations is to pay off the cyber criminals.
Spear phishing techniques trick people into transferring money to cyber criminals. They target specific users and, usually, the attackers will perform research before attacking. This can make these techniques harder to spot as attackers have information about the target that makes them appear legitimate.
The hidden and “not so hidden” costs
The financial risk of cyber crimes to companies is obvious – data breaches are very expensive, and those costs are rising. In 2018, the average ransomware payment was around $7,000. In 2020 the average cost of a ransomware attack grew to over $200,000. In 2021, the average cost of a data breach surpassed $4 million for the first time ever.
But cybercrime is not only a massive threat to an organization's finance and operations – it’s a significant threat to its reputation.
This is where communicators come in.
How should communicators best manage the aftermath of cyberattacks?
- After a data breach time is of the essence. Affected parties, including regulators and stakeholders, should be notified quickly to show transparency. Communication updates must be regular and transparent.
-
If a breach is detected and customer or client information has been compromised, the key to restoring trust after the fact is to be transparent. Even if there is not much information available–say something. It can be as simple as, “We are aware of the incident and looking into it. We will continue to update our stakeholders as more information becomes available.”
-
Before an attack occurs, communicators can be prepared by drafting dark site content, media Q&As, and call center scripts. This ensures every touchpoint in the company is sharing the same key messages with external stakeholders.
-
Make sure to seek guidance from cybersecurity firms, insurance providers, and internal and external legal counsel.
Creating a “crisis-ready culture” needs to start at the top. So how can you gain buy-in from senior leaders?
While your company may be well positioned to respond to a reputational crisis, many are not – simply because leadership may not be aware of the severe and long-lasting financial and reputational impacts of a poorly handled crisis.
Alex Russell and Kylie McMullan shared tips on how to foster crisis communications preparedness within your immediate team – and all the way up to the C-suite.
1. Think beyond a crisis communications plan. Developing a crisis communications plan shouldn’t be seen as the be-all and end-all of a crisis-prepared culture.
A crisis communications plan should be a dynamic document that key players are familiar with and have tested together. Leaders should be media trained to act as spokespeople in a crisis. The organization should develop a culture of proactively staying on top of issues and ensure the right processes are in place to avoid and mitigate risks and issues so they don’t develop into crises.
2. Get started, wherever you are: The most important thing is to get started. But if crisis communications is new to your team, start building your knowledge and expertise as communicators by attending webinars or professional development events on crisis communications and bring in consultants who can speak from real-life examples.
When trying to get buy-in to invest in crisis communications preparedness, it also helps if you can start by establishing strong issues management practices and positioning the communications team as being proactive and strategic on this front.
Ask your boss about existing crisis communications plans and do an audit to identify potential gaps and ways to fill them. Consider developing relationships with outside vendors and contractors now in case you need additional support if and when a crisis hits.
3. Use the “carrot and stick” approach: Explain and demonstrate the advantages of investing in crisis communications preparedness. Show leaders the benefits by speaking to positive case studies and learning.
On the other hand, emphasize the negatives of not investing in crisis preparedness by sharing relevant situations of PR crises gone wrong. For some leaders, this may mean highlighting factors other than reputational risks, such as financial or legal fallout, of a badly handled crisis.
4. Manage up: Be strategic about making your case to senior leaders.
You can help build their understanding by sharing relevant information and resources, such as high-profile news stories about reputational risks and crises you see in the media, and providing your analysis of the response – how well was the crisis handled and what could have been done differently?
Approach crisis communications preparedness as a conversation with leaders, asking them about what crisis scenarios keep them up at night and what concerns they might have from a communications point of view.
Leverage other opportunities, like media training, to get senior leaders thinking about the need for crisis communications preparation.
Depending on your relationship with senior leaders, you may need to build trust first or scale your ask. wWhile communicators play a key role in raising awareness of what can happen if your organization isn’t adequately prepared in a crisis,– we don’t always have access to the decision-makers or aren’t yet in the right position to influence them.
Start building relationships internally and cross-departmentally, especially with departments like risk/emergency management, legal, security, and HR. Some of these groups can be champions inhelping you make the case to leadership. Depending on your organization, it may also be appropriate to reach out to your counterparts in external agencies, such as government ministries, first responders, or regulators, to build allies.
Look at your past to plan your future: If you’ve had a recent issue or crisis or even one in the past, talk about it with your team, and any other affected departments. Try to do this in a timely manner after a crisis occurs while the experience is still fresh in people’s minds. What were the implications on your organization, and how could they have been improved if things had been handled differently from a communications point of view? Debrief about what your organization’s next steps could be in the future. This will illustrate the need to adapt your planning and coordinate going forward. It’s also an opportunity to ask for the resources and budget you need to do further preparedness work.
For more information or consultation on crisis response or readiness, please connect with our speakers.
Shafiq Jamal: [email protected]; 778-986-5600 (cell)
Alex Russell: [email protected]
Kylie McMullan: [email protected]