How to create Crisis Comms that will take your crisis response to the next level

Cybersecurity incidents are becoming increasingly common, and they can have a devastating impact on organizations of all sizes. Wavestone’s recent CERT-W report found that Cyber criminals are also becoming more opportunistic and well organised, targeting a healthy middle market with financial gains is in mind of the majority of cases (WS CERT 2019-2020 Cases)

For the companies who are in the unfortunate position of recovering from a crisis, the communications strategy can make or break the response. This is true both through the crisis itself and the outside view that emerges as a result of your communications. When a cybersecurity incident occurs, it is critical to have a well-defined crisis communication strategy in place – as if it done well – such a strategy can be the difference between the business continuing to be seen as a trusted partner, retailer or provider and not.

What elements make a successful comms plan?

The strategy should outline how the organization will communicate with stakeholders, both internal and external (employees, customers, partners, and the media) during a crisis, as well as containing relevant communication templates to use during a crisis.

There are a few key things to keep in mind when developing a crisis communication strategy for cybersecurity incidents:

Be prepared: The strategy and a communication toolkit must be developed in advance and regularly reviewed and updated. This will ensure that the organization is prepared to communicate to the best of its ability if a severe cybersecurity incident occurs.
Be clear: Messaging communicated under the strategy has be easy to understand and based on as accurate information as possible. This will help to build trust with stakeholders.
Be proactive: The strategy’s success hinges on its proactivity and must be used to effectively communicate with stakeholders before, during, and after a cybersecurity incident. This avoids stakeholders finding out from a third party and will help to manage the crisis and minimize its impact.
Be trustworthy: When organizations communicate openly and honestly about a cybersecurity incident, it can help to build trust with their stakeholders. This is important for maintaining customer loyalty and limiting reputational damage.
Be effective: Effective communication can help organizations to maintain operations during a cybersecurity crisis. By keeping employees informed about the situation and providing them with the resources they need to do their jobs, organizations can minimize the disruption to business.
Be consistent: Effective lines of approval during a crisis can help the business deliver consistent messaging around the crisis and retain stakeholder trust. This can entail multiple levels of approval from the head of comms, the crisis cell and group comms (if such an entity exists).

By following these tips, organizations can develop a crisis communication strategy to manage a cybersecurity incident more effectively.

It’s all in the planning

Taking a step further and looking at individual communications, whilst preparing a crisis communication strategy is an important step in validating templates ahead of time that can be built upon during a crisis.

Here are some specific tips for the pre-preparation and eventual customisation of individual comms during a cyber security crisis to ensure the business is communicating effectively:

Use clear and concise language: Avoid using jargon or technical terms that may not be understood. DNS Tunnelling, Zero Day Exploits and Active Directory may seem entry level from an IT or Security perspective but to the vast majority of people will not understand this terminology.
Be honest and transparent: Be honest about what knowns and unknowns about the incident. Sharing the right level of information is hard to gauge but the overriding point is that stakeholders need to know a reasonable amount of detail regarding the incident, but not so much that they know the specific weaknesses of systems.
Be proactive and timely: Communicate with stakeholders as soon as possible, even if you don't have all the answers. This illustrates that initiative taken to communicate with stakeholders and not waiting for them to come to you with questions.
Be consistent: Communicate using a consistent message throughout the crisis. This is often achieved through effective levels of approval on any comms leaving the crisis cell. Having everything signed-off using this process will ensure all stakeholders receive the same level of information and the right degrees of empathy and honesty.
Be empathetic and understanding: Understand that your stakeholders may be disappointed or angry. Being empathetic and understanding in your communications can be the difference between serious reputational damage and where the organisation is seen to be resilient in the face of the crisis.

Both the high-level strategy layer of the crisis communication plan and the tactical individual crisis communication messaging are critical considerations when responding to a crisis and are not mutually exclusive. Both must be done well in order to deliver well rounded, consistent and empathetic communication.

An effective crisis comms strategy with poorly considered individual messaging can leave stakeholder feeling like the business is out of touch. Whereas empathic and well considered messages could get lost without an effective strategy in place. In order to succeed, both elements are vital.