Cyber-attacks. Of course they won’t happen to you. You’re smart enough to not be fooled by phishing, adept enough to have implemented two-factor authentication and a host of other measures to strengthen IT infrastructure, and you’ve heard enough, and done enough, about GDPR that the acronym has now become meaningless.
Except, there’s that nagging feeling at the back of your mind. Because you’ve read the reports that the UK is now subject to a sustained effort by Russian hackers to target millions of devices. You know that cyber security is top of the list of concerns for UK CEOs. And you’ve heard of colleagues in other businesses who have suffered ransom attacks or extortion demands. Or, you’re in an organisation employing 100s or 1000s of people, and you know you can’t be responsible for all the links each individual decides to click.
You should listen to that nagging feeling.
Communications agencies, legal teams and forensic data analysts have been involved in a significant increase in cybercrime response in the past 12 months. More and more organisations are investing in defence systems and response structures for cyber-attacks, data leaks and breaches.
As with many crisis scenarios, it’s not so much the fact that it’s happened, as to how you respond, that makes a difference. This is particularly the case with cyber-attacks – where personal data including credit card numbers, passport details and other sensitive information could be compromised – and client relationships are also in jeopardy with attackers potentially targeting confidential documents and commercially sensitive information. Add to that the responsibility to swiftly report breaches to regulatory authorities (even more so after GDPR), and very quickly navigating this minefield can be difficult.
Organisations must swiftly determine their strategy – while almost certainly operating in the dark. You won’t know who did it, how they did it, what’s been exfiltrated or the extent to which your system has been compromised for some time – but this lack of information is not an excuse for communications paralysis.
The Crisis Management Team must be convened, with management, operational teams, risk managers, legal counsel, IT forensics, and communications teams called to activate their workstreams. (If you don’t have these in place, that’s your starting point today). They must assess what’s known, identify the gaps (there will be many), and determine the initial response (including hacker communications where needed). The communications strategy must meet regulatory requirements but also accurately reflect the status of the data analysis, extortion demands, and any police investigations – so as not to lead to contradictions as events unfold. When applicable, notification to affected parties must strike the right tone of reassurance and action, and organisations must understand who they need to communicate with (internally and externally), determine timelines – and ultimately be seen to be in control.
Live cyber security issues involving multi-million-pound ransom demands can evolve over months – other extortion attempts can be over in a matter of days or weeks. Whether it’s an email you receive announcing you’ve been hacked, a phone call to the CEO, or a message on your computer screen – you’ll be better placed if you have a response strategy ready to activate.
Having information released or sold on the dark web is a significant fear for many businesses. But by being prepared, and communicating well, you can help to shine a light on this criminal activity – while protecting and defending the reputation or your organisation.
To help prepare for a cyber-attack, to test your plan, or to call for the parachute regiment, why not give our specialist Hill+Knowlton Issues + Crisis team a call on 020 7413 3000.
By Nic Daley