In today’s digital age, cyber threats are a potential crisis that hovers over every organisation – regardless of industry, size, or prominence.
A crisis caused by a cyber attack can be especially debilitating: it’s not simply a case of your computer systems being compromised; they can infiltrate every part of your organisation. Such crises affect your ability to deliver your product or service, take employees away from the value-adding activity, and shake consumer and investor confidence. Ultimately, they can ruin your organisation’s reputation and threaten its existence.
Fortunately, the damage caused by potential cyber attacks can be significantly reduced with an effective crisis communication plan. With this in mind, let’s look at how to create a crisis communication plan for cyber threats for your organisation.
What is a crisis communication plan for cyber threats?
A crisis communication plan is a strategy that an organisation has in place for effectively addressing serious issues that threaten to throw it off balance and affect its normal operations.
While some organisations include cyber threats as part of their overall crisis communication plan, this isn’t optimal. Due to the unpredictable and sudden nature of cyber attacks, and their ability to impact any area of an organisation, it’s a much better and safer practice to have a dedicated crisis communication plan for cyber threats.
This plan should include:
- What you need to communicate, i.e., the nature of the crisis and what you’re doing to mitigate it
- Who you need to communicate with
- Your means of communication
- Who is responsible for executing the plan, i.e., your crisis communication committee
- The resources at your disposal for resolving the crisis
Clear, timely, and effective communication is vital for limiting the negative impact of a crisis on an organisation’s ability to operate, brand and reputation.
Why is a crisis communication plan for cyber threats so important?
It’s important to have a communication plan in place because it helps prevent a crisis from escalating into a full-on disaster.
Without the appropriate response in the face of a crisis, victims, employees, stakeholders, and the general public are simply left to interpret the dire situation themselves. This creates additional uncertainty, misinformation, and panic, which allows the crisis to feed on itself and potentially spin out of control.
In contrast, when an organisation is open and honest about a crisis caused by a cyber attack, they retain some control over the narrative and can reassure affected and concerned parties that they’re in the process of resolving it.
A crisis communication plan for cyber threats is key in minimising the damage to an organisation’s reputation. Although protecting a public image is important for all organisations, it’s even more so for publically traded companies – as blows to their reputation affect their share price.
Additionally, while it’s crucial to communicate with external parties, internal communication is just as important. Keeping your employees allows your organisation to present a united front throughout the crisis. It also prepares them for fielding enquiries and what info they’re not allowed to share.
4 steps for developing an effective crisis communication plan for cyber threats
Identify potential cyber threats
The first step in building a crisis communication plan is identifying the types of cyber attacks your organisation is most likely to encounter and their potential consequences. This offers the dual benefit of exposing potential vulnerabilities in your organisation’s cybersecurity and better prepares you in the event they occur.
By gaining a better understanding of the holes in your organisation’s security protocols, you can be proactive and take the necessary actions to plug them up. This includes giving your cyber security team the necessary resources and training to better identify potential cyber threats.
Just as importantly, by anticipating potential cyber threats and your response to them, you buy yourself time if one occurs. You won’t be left scrambling to determine the correct action or grappling with important decisions during the crisis.
Create a cyber threats crisis communications committee
Once you’ve identified your organisation’s most dangerous cyber threats, assemble a crisis communications committee. It’s best if a member of senior management, ideally the director or CEO, leads the committee. The committee should also include representatives from your IT, HR, and legal departments. Their role is to execute the crisis communication plan for cyber threats: centralising all relevant information, coordinating resources, and deciding on the content of communications and who should receive them.
Each committee member’s role and responsibilities should be clearly defined and documented. Also, take note of the resources at each member’s disposal, the action they take towards the crisis’ resolution, and the results of that action.
Create drafts of crisis communication statements
Having identified your organisation’s most likely cyber threats, you’re in a position to draft statements in response to each. Consequently, if any of them transpire, your organisation already knows what it wants to communicate and how – saving precious time when the pressure is at its height.
Now, they may not be perfect, but all you’ll have to do is tweak the draft statements to fit the situation, which is far preferable to deciding what to say from scratch.
Identify key stakeholders
Carry out a stakeholder analysis to determine who you need to communicate with – and the urgency with which you need to contact them.
The first group to communicate with are any victims of the cyber attack. Getting hold of them as quickly as possible allows them to take the necessary steps to protect themselves – or deal with the consequences of the attack.
Next, you need to address internal stakeholders, i.e. your staff. Keeping your employees in the loop lets you brief them on how to communicate with the outside world. By doing so, you don’t assume confidentiality and reduce the possibility of leaks. From there, inform other stakeholders, such as suppliers, unions, consultants (accountants, lawyers, insurance brokers, etc.), investors, and other people involved with your organisation.
Lastly, you can inform the press and general public for last – if you’ve managed to keep a lid on the crisis and word of it hasn’t already leaked.
Get in touch with RiskXchange to learn more about building a crisis communication plan for cyber threats in your organisation.