elevenM’s Arjun Ramachandran explores the common pitfalls that communications professionals need to avoid when managing a cyber security crisis.
Cyber crisis communications has had its coronation. As Australia’s data breach carnival regrettably continues to unfold, just as much ink has been spilled evaluating the quality of communications responses as has been written about how the breaches occurred.
Much of the criticism of the public responses by Australian companies has been fair and warranted – but not necessarily constructive. In my view, some critiques don’t give a fair enough airing of the genuine challenges involved. Some seem not to be informed by experience of actually managing a public response to a cyber incident or data breach.
In this post, I’m going to step through four common pitfalls of cyber crisis communications, and how we might avoid them.
For context, I’ve worked with businesses specifically on communication challenges relating to cyber security and privacy for about a decade. I’ve helped major Australian brands manage responses to data breach incidents and cyber-attacks and to develop cyber crisis communications plans
Pitfall #1 – Striking the wrong tone
Many non-cyber folks associate cyber security with technical wizardry and the shadowy world of hackers and cyber warriors. When a crisis hits, communications teams can fall into the trap of thinking they must respond technically to be credible, and also commonly adopt an adversarial framing of “attacker versus business” for their responses.
Details about the technical ins and outs of an attack and of the identity of attackers aren’t wholly irrelevant. But overly focusing on these things sets the wrong tone for a communications response, one characterised by defensiveness, posturing and finger-pointing, and which can lead down the rabbit-hole of arguments with journalists about specific technical assertions and terminology.
The main ball game when it comes to public communications around a cyber incident is a business’ duty to protect its customers. Working from this premise, communications will emphasise accountability and empathy, and seek to communicate customer impacts.
Pitfall #2 – Crisis comms principles fall flat without data
The discipline of crisis communications is guided by well-known principles such as transparency, empathy, accountability and authenticity. But being able to live up to these principles rests firmly on having access to the necessary data – and that’s not a given in a cyber incident.
In recent breaches, we’ve seen anger directed at communications teams based on their apparent “refusal” to tell customers what data of theirs has been exposed. “No empathy! No transparency!”, critics might shout. But it’s often not until they’ve dealt with a cyber incident in a corporate context that many communications practitioners realise just how murky things can be.
The ugly reality is organisations often can’t say with any certainty what data is involved in an attack or – in the best case – won’t know for some days until forensics activities conclude. That complicates the mission to respond “transparently” and even “empathetically” (as you don’t even know the extent of the harm caused).
The lesson for communications teams is to anticipate and prepare for this more complex, information-poor scenario, rather than drafting naïve statements that can’t be meaningfully executed. In practice, you might need to buy time with early statements (it’s ok to say you are investigating) and may need to reconsider the utility of statements or disclosures that don’t have enough information to do anything other than aggravate or cause panic.
This reality also reinforces the need for communication teams to build strong relationships and open lines of communications with incident response teams, so that investigation updates are readily available and can shape the timing and content of communications responses.
Pitfall #3 – Information asymmetry
Further complicating the previous pitfall is the reality that, in a cyber incident, communications teams can sometimes find themselves no more informed (and sometimes even less informed!) than external parties, including critical ones like the media.
Information about a data breach (including the breached data and method of attack) might be posted on internet forums or chat groups that security journalists are frankly more familiar with than corporate affairs teams. This up-ends the common and conventional dynamic where journalists are on the outside probing to find out information and confirm a hunch while corporate affairs teams get to act as gatekeeper.
In this bizarro paradigm where journalists know more, communications teams are less well-served by being coy, dismissive, vague or employing any other such tools that ordinarily might dead bat an enquiry.
This same information asymmetry – in which security and technology journalists know the space more intimately – is also why the word “sophisticated” carries such a burden in cyber crisis communications.
Cyber-attacks are not a staple affair for most corporate affairs team, and a prevailing assumption may be that they happen because of the aforementioned “wizardry” of hackers. Calling an attack “sophisticated” in that context might seem reasonable.
But security reporters understand that, by far, most attacks on organisations succeed by exploiting simple and well-known gaps and bad practices that organisations generally haven’t gotten around to fixing, like unpatched systems or untrained staff who’ve clicked phishing emails. For reporters, “sophisticated” is reserved for the truly audacious and novel attack – and communications teams that misuse this language will look like they’re trying one on.
Pitfall #4 – This won’t be over quickly
For communications teams, notification of a cyber crisis is like the sounding of an air raid siren. Odds are, within hours of being notified, the head of corporate affairs will be summoned into a “war room” to help plot the response to the crisis.
Such urgency and haste in the early stages of a cyber crisis response is warranted. But it can fool communications teams into adopting the wrong disposition, one that biases “big” early actions to quickly put out a fire. “Let’s just get out there and front-foot this” is a common crisis comms war cry, but it doesn’t always help in a cyber crisis – and might even do more harm than good.
For one, the early stages of an incident are typically when the least is known. Early statements that overcommit (by trying to say more than is known, or by stretching to be a single complete account of what has happened) not only risk being incorrect and inviting embarrassment for senior leaders, they can also cause panic and harm to customers.
Secondly, as recent data breaches involving Optus and Medibank have illuminated, cyber incidents can extend for days and even weeks. There are distinct phases to typical cyber security incidents, and communications teams should seek to understand these phases and plan what responses might look like across this lifecycle. And build their stamina for the long game.
My final words for communications teams are : “Be realistic about what you will achieve”. A comms teams can’t spin a data breach, particularly one on the scale of Optus or Medibank, into anything other than a message that still leaves customers feeling violated and enraged and has newshounds further sharpening their biro tips. But with the right approach, it’s certainly possible not to make things worse. So be fair to yourself, and make sure others are being fair in their expectations of you.
And remember to breathe.
If you’d like to discuss this post further or looking for assistance in developing your cyber crisis communications plans, reach out to us at hello@elevenM.com.au.