Preparing for crisis communications during cyber incidents
- Published: Friday, 28 September 2018 08:39
A conventional approach to crisis communications may not be sufficient when it comes to a cyber incident says Charlie Maclean Bristol. So, what steps can you take to prepare your organization for a potential cyber incident in the future?
If you are properly ‘crisis ready’, you should have a crisis management plan, media trained spokespersons and pre-prepared communications scripts. However, I don’t think this is enough when you are responding to a cyber incident. It is a good baseline, but you have to move quickly and communicate fast in a cyber incident. You don’t have the time to scramble around and work out how to communicate with your affected stakeholder groups. With GDPR, you have a maximum of 72 hours to communicate the breach, but within that time you also have to contact all those impacted by the incident. This does not give a lot of time to identify stakeholder groups, develop communications and get the communications out to those whose data has been compromised. However, there are a number of steps you can take now, to prepare yourself and speed up the process for communicating with stakeholders.
1. Identify the worst-case scenario for what you could potentially lose, as well as what personal information and other data you hold. This should be down to fine detail, such as whether you hold National Insurance numbers or just names and addresses and how much credit card information you have. The average time a cyber hacker has been in an organization’s systems before they are discovered is decreasing, in 2015 it was 200 days. If this is the case, there is a possibility that all of your data has been compromised and you should do a risk assessment to see what data you hold.
2. You need to identify the groups you will need to contact if all of your data is compromised. This could include staff, customers, past customers, suppliers, previous job applicants and past staff. The list could be substantial.
3. Next, you should determine how you will contact each group during a cyber incident. Will a post on the website or a statement via social media be enough? Or do you need to email, call or write a letter to each stakeholder group? You also need to check whether you actually have the means to contact them. You may decide to email everyone, but when you look at the data, you find that you are missing 20 percent of the email addresses required. You should consider how you will contact the hard to reach groups, such as elderly people who may not use emails, people with vision loss, and those who have opted out of communication from your organization. You also have to think about the details of contacting people. Will your email system let you send out 10,000 emails simultaneously? If you have to send out 250,000 letters you would need to engage a mail fulfilment company. A contract to do this and then send the letters may take more than 72 hours, so you need to have an agreement with a company in advance.
4. Once you have done step three, you then have to do the same again if you do not have access to your systems and your databases as a result of being locked out by ransomware. This just makes it more difficult and adds another layer of complexity.
5. It is worth writing prepared communications now, in the different mediums you would use for contacting various stakeholder groups. You know who they are and what information of theirs you hold, the only thing you don’t know is what data has been compromised by the breach and how it happened!
6. You need to decide if you are going to offer any support and advice to people who have had their data compromised. If you are going to offer a credit monitoring service to those impacted, I suggest that you look into this now. You should understand the service they offer, whether it is appropriate for your stakeholders and how to implement it. If you need to have this in place within 24/48 hours, it is probably worth having a call out contact for this. You also need to think about what help and support you will offer to those affected. If you are going to set up a helpline, where are you going to find the people to operate it? Do they have the skills to help those calling in and what IT systems will they need to access to find out information those calling in might want? If your call centre / center becomes swamped and people can’t get through, this could lead to another negative media story that puts you back in the spotlight.
The one thing about cyber incidents is that you don’t have a lot of time. You have a statutory responsibility under GDPR and a moral responsibility to warn your stakeholders that their data may have been compromised, and this needs to be done within 72 hours at the most. If your response is not seen to be organized and sufficient, you may be fined by the ICO (if you are based in the UK). With GDPR just coming in, the ICO may look to make examples of organizations that do not discharge their obligations sufficiently enough. So, business continuity people, now might be a good time to start working on the above list with your communications people!
Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.