Ahead of this year’s Crisis Management Conference, Regester Larkin’s chief executive, Andrew Griffin, looks at how organisations can prepare for a cyber crisis.
Organisations must be prepared to face any sort of crisis, from major physical incidents to scandals and performance failures. According to our recent crisis management survey, organisations are more confident in their ability to respond to familiar risks, such as industrial accidents and extreme weather events, than they are unfamiliar risks. For most, a cyber attack is unfamiliar territory. Yet cyber risk is a key commercial and reputational vulnerability that has moved quickly up organisations’ risk registers in recent years.
As with all aspects of crisis management, preparedness is key. The unique dynamics of a cyber crisis need some special attention. Here are three tips for organisations getting ‘cyber crisis ready’.
- Plan the logistics of communication
All organisations should have a crisis communications plan but few of these plans consider the logistics of this. A cyber crisis might require direct communication with consumers, customers and stakeholders, sometimes with important information about actions they should take. But a cyber attack could debilitate normal communication channels, most of which don’t have the capacity to reach large numbers in short time periods. And, of course, internal systems may have been directly impacted, isolated or disconnected to contain the attack. Thinking through these realities during peace time is an invaluable time saver in a crisis.
- Don’t be a victim
Even if an organisation is the ‘victim’ of a cyber attack, it can never play the victim card.
Stakeholders may feel let down: an organisation they trust has failed to protect their interests. They must feel that you understand and regret that they have been impacted by the cyber attack. The watchwords here will be care, concern, containment and control. Containment in particular is hugely important in a cyber crisis. If the organisation cannot put a fence around what has happened, the assumption will be that the situation is out of control and uncontained. The last thing stakeholders want in this situation is for the organisation to play the victim card: they want to see action and hear the right emotion.
- Ensure you know the facts
A cyber crisis, again like most crises, is characterised by a lack of information in the early stages. What exactly has happened here? What has been compromised? What information is lost? With a cyber incident, the lack of knowledge is about other people’s information and details. Knowing what the organisation does and doesn’t hold on its customers, employees and consumers is the most important step. The organisation’s spokespeople (many of who will find the whole ‘cyber thing’ very unfamiliar and confusing) will need to be reassuring wherever possible. Knowledge is key: information should include what data is held on customers, how the data is stored and details of the organisation’s investment in cyber resilience.
We have seen through a series of recent high profile data breaches that cyber attacks can have significant commercial and reputational impacts. Preparedness is the key to successful response.
The Crisis Management Conference will be held on Wednesday 14th September in London. For further details on the programme and how to register, please visit the CMC website.