It’s a communication crisis. But, it is not the same as a fire, natural disaster or production delay.
A cybersecurity breach is a communication crisis that is unique. That’s because when it is discovered you might not know all the facts immediately and it can drag on for a long time. You might not know the extent of the breach, the damage, when it happened, or the recommended course of action. All of this makes it a complicated communication nightmare–not to mention that you have numerous audiences: employees, customers, vendors, investors, and the media.
Here are a few of the facts about cybersecurity:
February 2016, a survey conducted by MIT Technology Review Custom in partnership with FireEye and Hewlett Packard Enterprise (HPE) Security Services found that “Forty-four percent of the 225 business and IT leaders polled said their organizations didn’t have cybersecurity crisis-communication plans in place; another 15 percent didn’t know whether they had such plans.”
In fact, 60% of small companies that are attacked go out of business in six months.
While many believe that only large high-profile companies are at risk, that is not the case. Smaller companies may be easy targets because they do not have as many safeguards in place or resources to cope with an attack. That makes it imperative that businesses, especially small and medium-sized organizations do not delay in planning.
Here are just a few things to consider.
Identify a team that can assist you. It might include legal counsel, IT professionals, and communication or public relations experts. You may already have these individuals as a part of your outside resources. Be sure you have emergency contact info for these companies in various locations in case you are unable to access your databases. You need to be able to separate this communication from regular/non-emergency communication.
Figure out how you will gather information if systems are crippled. Who will take the lead to communicate information? Some people believe it should be just the CEO that communicates. I think a team approach may be best, but everyone must be on message.
Create a list or a framework for how and what you will communicate. For example, does everyone get the same communication? Consider having a separate website or splash page for emergency situations. It does not need to be complicated but should be designed and tested in advance. If you use social media, that is another way to keep stakeholders informed.
Also, consider what will you say to the media if they come calling? If you are really prepared, you will have media-trained one or two spokespersons. Understand that anything you say to the media can be used in a lawsuit.
When a cybersecurity breach occurs, it is critical that you communicate early and often. This is a situation that may linger, so be prepared. How you handle a cybersecurity breach or other crisis can instill confidence or make a bad situation even worse.