Following is an excerpt from my recently published position paper “The Forgotten Fear Factor: Communicating During a Hack Attack:”
The next time you read an article about a cyberattack and think, “That could have been us,” it’s too late. The hackers may already have infiltrated your system, too. How effectively are you ready to communicate when that ticking time bomb detonates?
You would be well served to take the long view. This is admittedly a challenge in the day and age of quarterly results and their expectations serving as the benchmark for success or failure. Prudent investments—both in technology and in communications capacity—are necessary on a sustained basis.
There is plenty of advice available regarding how to bolster your IT department: Hire more skilled workers, buy that shiny new company’s anti-hacker services, tighten your company’s email filters.
But what of the important question, how can your business ramp up its communications strength? There seems to be far less discussion on this matter, so here are some suggestions to help guide you:
- Charge your communications staff with organizing and leading regular simulations surrounding cyber threats.
- Craft your message in anticipation of an attack. While you won’t be able to divine the precise nature of your situation, you can and should set a general template that helps you outline what to say when the time comes.
- Decide which executives will be your public face in which situations. It is normally a good idea to place your CEO front and center, unless he is a lost soul as a communicator.
- Hold periodic media training workshops for those executives who will be in the press’ line of fire during any cyber crisis. Note that this means more than a “one and done” session. You need ongoing skill sharpening.
- Do your best to assure in advance that your communications, legal, and public affairs teams play nice together. Anticipate disagreements about how much to say when crisis strikes (the lawyers typically want to say little while communicators argue for more disclosure), and decide on the proper balance for your state of affairs.
- Establish a relationship with an experienced communications training consultant who can guide you through your mess before, during, and after your cyberattack. If you are under contract with a public affairs or public relations agency, make sure they have someone on staff with this specific type of expertise; be aware that many agencies, even the global players, have axed their training departments in recent years and may lack this capability. Unless your contract with them is written to your extreme disadvantage, you have the right to select an independent consultant to work hand-in-hand with you and your agency.
- If your issue is liable to incur governmental oversight, arrange a testimony training workshop for your executives who may be called to testify before Congress, state lawmakers, or federal and state regulatory bodies.
- When the attack comes, put that messaging document into action and make it specific to the real-life conditions you now face.
- Insist on periodic reviews of your messaging as the drama unfolds. In some cases—particularly in the early hours of your crisis—this may require hourly or even minute-by-minute adjustments.
Allow me to emphasize that you must take action and prepare before your cyber crisis hits. You will be sorely disappointed if you find yourself scrambling when a crisis jolts you into awareness.
What other advice would you add to the bulleted list above?