Join CIPR
Search by title
A dark computer screen featuring green machine code type and a large exclamation mark in a yellow triangle with the words system hacked underneath
solarseven / iStock
PUBLIC RELATIONS
Wednesday 12th April 2023

Cyber crisis communications – a framework for communicating in the event of an attack

When, what and how to disclose a data breach

Forty per cent of of UK businesses experience a cyber-attack each year and of these, around 20% say that an attack had a negative impact. The figure is higher for public sector organisations. Given the cumulative effect, preparing to communicate in the event of either a deliberate attack or an unintentional leak of information (a breach) is, for many organisations, an essential element of risk and issues management. 

In their paper ‘A Framework for Effective Corporate Communication after Cyber Security Incidents’, Richard Knight and Jason Nurse review case studies of data breaches over a three year period [September 2016 - May 2019] involving UK companies. It is a long list and features household names like B&Q, Ticketmaster, Superdrug, Butlins, Sodexo and Hotpoint. 

A cursory search for contemporary news articles on cyber-attacks and data breaches will reveal new stories every day. Which is why the guidance developed by Knight and Nurse is so valuable. At its centre is a decision-making tree that helps organisations answer questions about whether, when, what and how to disclose a data breach. It also includes a very useful grid for message framing, which features advice on:

  • Accepting responsibility 
  • Avoiding downplaying and blaming
  • Reviewing aggravating factors to avoid messages damaging credibility
  • Age, gender and cultural differences in audiences 
  • Ethical considerations 
  • Communicating liaison with law enforcement.

In the cases of breaches at BA [September 2018] and Dixons Carphone [June 2018], they suggest “questions were raised over whether the public was informed in a timely manner.”

They add: “This topic highlights the dynamic between the need to communicate quickly and the time required to understand the situation and provide accurate information. It is thus important that the timing of external communication is considered as part of any effective guidance.”

This friction was one of the major challenges faced by one senior leader of an organisation subject to a recent data breach – let’s call him ‘John’ because he would like to remain anonymous. 

“There is a real tension in the initial stages in balancing the need to inform key stakeholders while making sure you avoid releasing inaccurate information,” said John.

This is a significant tension in cyber-crisis communication because the regulatory requirements (and ethical imperative) that an organisation informs subjects of a data breach in a timely manner mean that it is extremely likely that the organisation will have to start communicating widely while it is still investigating the extent of the breach, its cause and impact.

Beyond regulatory requirements, as Knight and Nurse note, it is generally best to publicly notify of a breach as soon as possible because: 

  • It helps address feelings of vulnerability for those affected
  • It is important data subjects hear it directly from you first to avoid a loss of trust – what in general crisis communications is called ‘stealing thunder’ 
  • It may be easier to frame public opinion at an early stage in a crisis
  • The company may have obligations around insider trading.

Which means speed is essential in the earlier stages of a recovery from a cyber-attack or breach and this, according to John, has specific ramifications.

“You need to ensure you have the right contacts for lawyers and specialist IT support in your mobile phone and preferably on speed dial.”

Effective leadership in these circumstances – in order to limit recovery time – involves building good relationships with those key suppliers ‘at speed’.

Cyber crisis communications is also marked by a very specific challenge – the attack may well damage (sometimes significantly) the organisation’s capacity to communicate.

“It may be appropriate to use all available channels [direct and indirect] for communication to increase reach,” suggest Knight and Nurse. 

But not all channels may be available. In the case of John’s organisation, access to key communication tools, including the phone system, was severely restricted for several weeks. 

While contact and operating databases were not corrupted, access to them was blocked, which meant that the organisation could not dispatch emails to its client base. As the subject of a ransomware attack, it was also wary of publishing information on its website that might make the situation worse. 

Workarounds were required. The senior leadership team used the contacts saved on their mobile phones to inform key stakeholders and other outreach happened at a departmental level using the same tactic. All essential contact was made within 24 hours of the breach. 

Once limited access to the client record system was obtained the entire system was downloaded and a blanket email sent out to inform about the breach.  

John describes how the first week following discovery of the breach was particularly difficult, with senior staff working very long hours, “but things did get better”. 

This pressure on leadership presents a challenge to those providing communication support – there may well be limited capacity to engage with leaders initially, because they are so busy with the investigation stage. 

There are resilience ramifications too for public relations functions dealing with an issue that might require significant communication resource at different stages. Using frameworks like Knight and Nurse’s can help relieve some of the pressure on organisations suffering a such a breach.

Ben Verinder is managing director of specialist reputation research and management agency, Chalkstream.

pr-strategycrisis-communicationbusiness