Following is an excerpt from my recently published position paper “The Forgotten Fear Factor: Communicating During a Hack Attack:”
More and more businesses are developing cybersecurity disaster preparation plans. It’s a necessity in this day and age. But if you stop there, you’re only fighting part of the battle.
A cyber communications plan is also a must. Just as an overall communications plan guides your business to a better public image, a cyber communications plan spells out how you will react and the steps you will take when hackers assault your organization.
Fail to devise such a plan and you’ll be left scrambling in a panicked and most disorganized manner when catastrophe arises. Make no mistake, this means a written plan, one that all of your workers can reference.
Sadly, relatively little guidance is available about this vital facet of crisis planning, though the tip sheet “Nine Crucial Crisis Communications Tips” can help you set a general framework for your approach to a cyber intrusion.
Plug the term “cybersecurity communications plan” into your favorite search engine and you’ll see plenty of advice about privacy, securing credit card information, better protecting mobile devices, and fending off email incursions. But you have to scour deep to find anything substantive and helpful about communicating with your publics.
Your communications about cybersecurity need to begin before events occur. You must communicate with employees and bring them up to speed on best security practices.
Once the cat is out of the bag, the pace of your communications picks up rapidly. You must be ready with a plan that answers such key questions as:
- How much information can you disclose, both legally and from a business perspective?
- Who is empowered to speak on your business’ behalf?
- Who belongs on the team that will craft and continue to refine your message as the crisis unfolds?
- Is there still a way to protect any intellectual property that may have been pilfered?
- What steps can you take to assuage clients and consumers and make them whole if their data has been swiped?
Cyber theft is as much a communications problem as an IT issue. To be sure, you need to include your online security and risk teams as you seek to understand and define your predicament. In most cases, however, these are not the spokespeople you want front and center when explaining things to the world. Jane and John Q. Public don’t need a buzzword-laden technical rundown; they need to know how your incident affects them, what you are doing to solve the problem, and what, if anything, they need to do.
In most cases, the bad news and resulting solutions should come right from the top—your CEO. Let’s hope that your business is one that plans for the future ahead of time and that you have a strong relationship with an experienced communications training consultant capable of guiding your leadership through an ongoing media training program.
When the crisis strikes, hold that consultant close (you may want to consider a retainer arrangement to see you through the hot and heavy times; this ensures you have ready access to the strategic communications and messaging counsel you’re going to need).
How have you begun to prepare for your upcoming cybercrisis? What advice can you offer to other executives who may be a step or two behind you?