Cybersecurity: ‘when’ rather than ‘if’ your organisation is targeted

In a letter recently published in the Daily Telegraph by the director general of MI5 and the chief executive of the Confederation of British Industry (CBI), the co-authors called on UK businesses to protect themselves against cyber threats.  

The recommended steps towards safeguarding include reviewing security procedures, upskilling your people and updating response plans.

If this was not enough to encourage us to act, recent fines for security breaches and costs to the business running into tens of millions of pounds further highlight that it is very much a case of ‘when’ rather than ‘if’.

Research published by the Department of Science, Innovation and Technology shows that less than half of medium-sized businesses have a plan, rising to 64% for large companies.

Putting a plan in place

As public relations practitioners, we plan for issues based on a risk assessment of their likelihood of occurrence and the severity of impact.

For cyber, the regularity of occurrence, the business-wide implications, the risk to the ongoing viability and the corporate strategy, and the long-term reputational impact mean that cyber should be at the top of our prioritisation list. 

Having a rehearsed and tested plan in place will allow time to assess the issue and develop a clear strategy for the days and weeks ahead that minimises stakeholder impact and aids a quick recovery. 

The communications playbook should have a set of principles that provide the corporate guard rails for your response. Some practitioners are drawn into the false sense of security that the principles are enough. Having navigated a cyber-attack, we do not agree with that approach.

Developing your communications plan based on identified scenarios will give everyone executing the plan the confidence to undertake their roles and perform the task in the appropriate order for your organisation.

Working in silos won’t work

The communications plan cannot be developed in isolation from your organisational response. Cyber provides a way for public relations practitioners to perform our environmental spanning role: understanding our organisation, the outside landscape, analysing the information to be able to give senior counsel.  

To better understand our organisations, we need to have cross-functional conversations with our colleagues ahead of time to understand the demands on the operation including the security, legal and regulatory frameworks. 

This can only be done during business normal. Working together and understanding these demands while remaining in your respective swim lanes will enable you to mount a more robust and cohesive corporate response.

Discussing the corporate position ahead of time will also allow everyone to voice their opinions at the top table. Some people may subscribe to the view that you may get away with it, but this is a high-risk strategy that disregards the moral protections for impacted stakeholders, not to mention the legal and long-term reputational issues.

• Transferring your crisis comms skills to a trustee board
• Three top crisis communications lessons from a disaster manager

Stakeholder approval 

When managing a cybersecurity issue, you will have to manage a large number of press calls, social media and roll out a number of communications to different stakeholders within a short timeframe.  

Therefore, all the communications need to be pre-drafted within the plan for all the different stakeholder groups.  

These will need to be pre-approved by all your internal stakeholders and then edited at the time of occurrence. Other than the initial acknowledgement statement, they must be reapproved before being issued.

Customer communications need empathy. In addition, you need to do what you say you are doing. They will need your help, so put yourself in their shoes and think of the impact on them. Through your communications, give them the information they need to act on to protect themselves through your established channels.

For cyber, the order of the tasks is critical. Testing your plans through simulations will give you the confidence to enact them with precision when the time comes. Remember, it will be a stressful time with much pressure and it is your responsibility to give your team the confidence to perform their role. 

• Crisis comms: Lessons learned from the British Library cyber-attack
• Is crisis comms becoming risk averse?

Managing the response

Based on our own first-hand experience of managing the communications response to a cyber-attack, we recommend integrating the tasks and processes into the everyday way of working so that the performance of the tasks becomes second nature.  

You do not want to be reaching for a crisis communications manual that sits on a shelf other than to meet the regulatory requirements of your industry. 

Due to the financial, legal and reputational impact from both the risk and value creation perspectives of cyber, it is an issue being addressed at the board level.  

It is, however, the board’s responsibility to manage the risk responsibly by not prioritising short-term financial gain over longer-term resilience. 

The board also needs to provide assurance and oversight. This awareness has meant that more budget is allocated to cyber preparedness and cyber insurance is being taken. 

Cyber is not just in the domain of information technology. It is a cross-functional responsibility. A key role that the public relations teams can, therefore, play in helping to prevent a cyber-attack and limiting potential damage to the business is preparedness.  

Phishing emails are the number one cause of ransomware attacks, so awareness and training are key.  By working with the security team, we can help create the right security culture for the organisation through effective internal communications. 

The one thing to avoid at all costs is making the situation worse. We can’t make it better, but we can communicate openly and transparently, especially as it is a case of ‘when’ rather than ‘if’.

Mike Evans and Elizabeth Maclean are co-managing directors of strategic communications agency Herdwick Communications.