Cyber attacks are a common cause of organisational crisis, a risk that has been turbo charged by the Coronavirus pandemic. Individuals and business are adapting to remote working and digital communication, dramatically increasing businesses’ exposure to cyber threats.
I’ve argued in my new e-book Surviving Crisis that crisis is the new normal; large companies have averaged a crisis a year over the past five years. Now, with half the world in Coronavirus lockdown, I expect few would disagree.
What’s the cyber risk?
Cyber-induced crisis can come from denial of service attacks, extortion, theft of commercial data, release of customers financial or personal information and internal sabotage. As opportunities in the digital realm have expanded, so have the risks.
A global survey by Deloitte of more than 500 crisis management executives found eight out of 10 organisations have mobilised their crisis management teams at least once in the past two years, with cyber attacks being the most common cause.
The sudden increase in remote working has amplified long-standing cybersecurity challenges such as unsecured data transmissions, external access to company systems, opportunity to obtain employees details and passwords and use of platforms such as Zoom which lack extensive security protocols.
Consider cyber safety as part of the Coronavirus response
Cyber safety should be a key priority of any business’ Coronavirus response. Already the Australian Cyber Security Centre (ACSC) has issued a new advisory detailing how to reduce the risk of falling victim to cybercriminals.
The ACSC has received a stream of reports from individuals, businesses and government departments about a range of COVID-19 themed scams, online frauds and phishing campaigns.
The centre has already responded to more than 20 cyber security incidents affecting COVID-19 response services or major national suppliers, and disrupted over 150 malicious COVID-19 themed websites.
While there are a number of ways to mitigate the cyber threat, such as insisting staff use strong passwords ideally with multi-factor authentication, or using a Virtual Private Network (VPN) to connect to a work network, the likelihood of experiencing a cyber attack is extremely high.
Tips for communicating a cyber attack
The principles of effective crisis communication apply no differently when communicating in the face of a cyber incident; if anything, the speed of the business’ message is all the more critical. Protecting one’s personal identity instils a strong emotional response, and it is important for your voice to be the first one a person hears on the issue, rather than that of a colleague, competitor or journalist.
If, or when, a cyber attack occurs, the key is for businesses to communicate promptly and empathetically. Remember, a technology incident almost always has human impact.
Think about the people behind the technology – acknowledge the impact that the incident has had on your people, whether it’s customers, employees, donors, board members, investors or volunteers; people in a crisis want to know what it means for them, not what it means for the ICT networks. Put forward a personable spokesperson and avoid the use of technical jargon.
Not leave an information vacuum for others to fill – a data breach is a sure way for stakeholders to lose trust in a brand. A way for businesses to start rebuilding trust is to become the source of accurate information on the issue. If you don’t have the facts, let people know how you are finding them.
Use clear and consistent messaging – messages that are clear and compassionate will have the most cut-through when people are in a heightened state of stress. And don’t be afraid to repeat yourself; it often takes numerous times for a message to resonate.
Not set and forget – follow up on the promises you made to address the issue and the protocols you said you will put in place. Track progress moving forward and regularly report on the milestones achieved.
Icon Reputation provides strategic counsel and hands-on support in a crisis situation, including data breaches and cyber attacks.