Cyber-attacks on organisations in both the public and private sectors are becoming an increasingly regular event. Big names recently hit include M&S, Harrods, the Co-op and the Legal Aid Agency — each one facing devastating damage to operation, finances and data security.
GCHQ’s National Cyber Security Centre has warned that the rise of AI-enabled cyber threats, from malicious state actors or highly organised criminal gangs, is set to grow over the coming years.
Good communication alone won’t fix a cyber-attack. But they’re critical in protecting your corporate reputation, calming stakeholders and safeguarding commercial interests.
While a lot of your crisis response will mirror what you’d do in a non-cyber crisis, cyber incidents are a different breed. They spread faster, hit harder, and put your critical systems at immediate risk.
Definition’s top 10 tips for communicating in a cyber crisis
1. Have backup ways to communicate
A severe cyber-attack could take down your usual communication channels. So make sure you’ve got alternative options available — phones, social media devices, emergency email addresses — off-site if necessary.
2. Be transparent
Be open and transparent about what’s happened, who’s affected and what you’re doing to fix the matter.
3. Move fast
Get your comms out quickly and clearly. A cyber-attack’s impact tends to grow as more becomes known. Always include phrases like “as far as we currently know’” so that you’re not caught out if things change later. Give regular updates to all those affected. If you leave a gap, others could fill it with misinformation or deliberate lies.
4. Stick to the facts
Become the go-to source of true, accurate and verifiable information. Don’t engage in speculation. Building that trust in ‘normal’ times will pay off when you really do need to be trusted.
5. Keep it simple
Drop the technical jargon and corporate waffle. Speak plainly, clearly and directly so everyone understands exactly what’s happening.
6. Stay consistent
Make sure you’re saying the same thing everywhere and to everyone — internally and externally, across all channels. Mixed messaging creates confusion and feeds mistrust.
7. Talk clearly to each audience
Know your audiences, including employees, shareholders, clients, suppliers, regulators or the media. Then tailor your communications to each of them.
8. Work with the media
Journalists are just doing their jobs — they’re not the enemy. Anticipate their questions and prepare your answers. If there’s something you can’t talk about – for confidentiality reasons or to avoid harming a police investigation — say so. Saying ‘no comment’ won’t kill the story, but it’ll only push journos with tight deadlines to less reliable sources, and that can make a bad situation worse.
And remember, the media can be helpful in getting important information out quickly to the public if your own communication channels go down.
9. Keep track of how people feel
After the incident, monitor how customers and the public respond. Tracking sentiment helps you see if your messages are landing well or if they’re missing the mark. You’ll spot shifts in brand perception quickly, so you can take any necessary corrective action.
10. Learn lessons and share them
Sharing the lessons you’ve learned from an incident with trade bodies, sector organisations and even rivals, will help improve overall resilience. Cyber-attacks can target anyone, at any time — and if everyone’s a potential victim, we’re stronger working together to build better defences.
Plan and prepare — before the worst happens
You can’t predict exactly when or how a cyber-attack will strike — but you can be ready.
Working with an experienced crisis communications consultancy means you’ll have a robust plan in place that identifies potential risks, ranks impacts, maps stakeholder audiences, establishes a crisis communications team, assigns roles and responsibilities and prepares draft scenario statements.
It’ll save time, bring order to potential chaos and puts you in control should the worst happen.
We’ve helped clients in multiple sectors on effective crisis comms planning and in handling ‘live’ crisis scenarios, including law, professional services, healthcare, education, manufacturing, charity and FMCG.
Want to see how we could help you too?
Get in touch
Written by Peter Davenport, Crisis Communications Consultant at Definition.