A view from the coalface of one of the biggest cyber-attacks to date

At the CIPR Crisis Communications Network, we run an Open House event roughly every quarter. The idea is for our members to just drop in with any crisis communication issues, challenges or questions they might have. Just in case, whoever is chairing – and this time it was me and fellow committee member, Sara Naylor – we always have some interesting crisis communication case studies up our sleeve to get everyone going.

This time the event took place against the backdrop of yet another major cyber-attack. The MOVEit hack involved cyber criminals gaining entry into the payroll information maintained by the BBC, British Airways and Boots the chemist amongst many thousands of others. Fortunately for us, Jim Steven, head of crisis and data breach response at Experian Consumer Services, dropped in to give us some good advice.  

Jim’s work is with organisations impacted by crisis who need to communicate with thousands, often millions, of customers. This includes putting in place a comprehensive consumer response plan that will address everything from customer notification call centre support to providing credit and identity monitoring services. He doesn’t only deal with cyber-attacks, but it is a huge part of his work at the moment.

The role of AI in crisis response

But we began our June open house session with a reprise of our recent webinar on AI. There were a number of conclusions. Firstly, there was general agreement that AI can speed up our responses. One of the speakers at our AI webinar actually talked about saving half a day’s work when dealing with the communications around the recent earthquake in Turkey. One of the areas of crisis communication where AI is being used is stakeholder segmentation when it comes to messaging: basically, slicing and dicing the crisis narrative to make sure it is applicable to various stakeholder groups.   

There is an obvious use for AI in scenario planning, which can take hours and hours of work. I know this well, as it forms a large part of my crisis communication work. The scenario must be as real as possible to be credible, so it means getting completely up to speed on an organisation and a sector in a very short time. Finally, AI holds a lot of potential for analysing media and social media coverage and giving us immediate insight into how the crisis narrative is landing in real-time.

But there are the obvious downsides or challenges. We need to decide what is said to clients if we are using, for example, ChatGPT for our work. We need to remember anything we input into these platforms theoretically has been released to the wider world. Not usually advisable for much of the sensitive work we do.  

AI can and does get it wrong on occasions. I told a story about when I used ChatGPT recently to suggest how to communicate a very technical message in a more engaging way. The suggestion was certainly easier to read but it was also factually incorrect. Finally, as the PR profession, like so many others, grapples with issues around diversity and inclusion it is worth remembering that AI at present is taking what it has from an internet largely comprised of Western voices.  

Before we grilled Jim on the latest cyber-attack, we asked him about his company’s use of AI. Jim uses AI for what he called ‘triage one’ – ie when his company is helping manage inbound contacts from customers impacted by crises to answer simple questions and direct them to the right place for more detailed information. Really no different to the chatbot facilities we have all gotten used to online with the aim being to manage the flow of work.

The downside for Jim is that AI lacks empathy. It’s also not good at giving answers to multiple questions framed in a single question. Work is being done to merge a chatbot seamlessly into a live agent where necessary. When it comes to the slicing and dicing of messaging, Jim pointed out that machine learning needs a lot of feeding in terms of data to use, so it’s not going to work well if the information it has is new and there is no obvious body of data it can use to come up with suggestions. So Jim’s verdict is that AI is not quite there yet.

MOVEit cyber attack

Jim had a lot of interesting insights to share about the recent MOVEit cyber-attack. He kicked off by saying he had written more proposals for clients in the last few weeks since the attack than he usually writes in a year – around 300. Tens of thousands of organisations had been caught up in this crisis which emanated from weakness in a secure file transfer system used to move multiple pieces of sensitive data from A to B. 

One of our attendees asked Jim for the top few actions to take if your organisation is a MOVEit victim. First off, Jim suggested getting some good legal advice. There is a legal duty to notify the Information Commissioner within 72 hours if personal data has been compromised in this way. Make sure any breach is fully confirmed before you make any report of this kind. One of the biggest challenges – and it takes usually around a week – is working out exactly what data has been compromised. Again, the legal team can help with issues around legal privilege whilst this part of the investigation, which could involve third parties such as suppliers, is in progress.

Then it’s down to crafting the messaging that will give customers the reassurance they need. For example, if no financial data has been impacted then tell them that upfront. Then it is into channel management. Which are the best channels to use and how many times does messaging need to go? Getting this right and managing the workflow when millions of customers are involved is the challenge. Also, you may want to think around some kind of consumer recovery package such as credit monitoring to reassure customers their financial profile has not been impaired or perhaps discounts on future purchases if you are a consumer goods company. How any of this is delivered must be carefully thought through.

When it comes to preparation for a cyber-attack Jim had one simple piece of advice: “The single biggest thing I would do is look at personal data you hold and see if you really need it, and if you don’t really need it, delete it.” Sort of if you don’t use it, lose it.

Chris Tucker is chair of the CIPR Crisis Communications Network. Read the original post where you’ll also find details of the next open house, which will be held online at 1pm on 12 October.