Cybercrime Response: Why you need a crisis communications plan
Before you brush me off, let’s take a quick look at some sobering numbers related to poor cybercrime crisis communications management, shall we?
46% of companies have experienced reputational damage and loss of brand value from data breaches, according to Forbes Insights: The Reputational Impact of IT Risk.
- The average loss of brand value after a cyberattack was between $184 million to $332 million, according to a survey research by Experian Data Breach Resolution and Ponemon Institute.
- Executives participating in the same survey estimated it could take up to one year for brand image and reputation to rebound after a cybercrisis.
Now do you see why a solid cybercrisis communications plan is critical? Good.
Let’s look more closely as how and why these documents are so important, and what you need to know to create one.
Why You Need a Cybercrime Incident Communications Plan
“A crisis communications plan is as important as a business plan,” asserts Aaron Blank, CEO, of The Fearey Group, a Seattle-based public relations and public affairs agency with a crisis practice.
“Everyone thinks to themselves, ‘This can’t happen to me so therefore I don’t need to prepare for it,’. But if you’re online, whether it’s using services like Microsoft 365 and Sharepoint or Dropbox and Gmail, you must have a plan in place,” he says. “Recent incidents…illustrate how at risk of a cybercrime we are.”
Once that risk becomes reality, you need to focus both on dealing with the event and continuing to run your business.
“If you’re scrambling to put together a crisis communications response while also dealing with the incident, it’s going to hinder your ability to inform the public and your key audiences,” Blank continues.
How to Create a Cybercrisis Communication Plan
Build a rapid response team. Choose team members based on their specific skills, personality traits and ability to work well in drills. Then establish a chain of command and an official spokesperson to address employees, vendors/partners, customers and the media. Build a relationship with an agency with a specialty in crisis communication to provide expert counsel and free up your in-house team to continue normal operations.
- Pro Tip: “Make sure there’s a back-up for every role on the team,” advises Melanie Dougherty Thomas, managing director of Inform, a Washington, DC-area integrated communications firm that provides crisis consulting. “Say Jim’s in charge of social, but what if he’s on vacation?”
Draft language. Create boilerplate talking points and statements for each type of attack you’re prone to or that is commonly unleashed on organizations like yours, and outlining your established cybercrime incident response activities. Address both internal and external audiences.
- Pro Tip: “Employees need to know the details of what is true and what you are doing to move forward so there are not doubts in their own minds that you have this handled,” Blank counsels. “Your customers, vendors and others that work with you regularly need to know that you’re aware of and handling the crisis,” he adds. “It impacts their habits, or even their business.”
Create a dark website and activation plan. Designate a section of your website that lies dormant until needed during a cybercrisis, when it goes live to become portal where employees and customers find accurate and up-to-date information on the crisis.
- Pro Tip: “Build out a plan for how that gets activated, including after-hours activation, and the team responsible for its updating and maintenance,” Blank notes.
Practice regularly. Hold scheduled and surprise drills to put your team through its paces and keep response and execution sharp.
- Pro Tip: Rehearsals are the only way to determine if your team can function in crisis. “You have to know beforehand if we have right people in the right roles,” Thomas says.
Finally, Thomas adds, don’t park your plan in the cloud only.
“Attacks could occur outside business hours or when you’re off-site,” she points out. “Instruct team members to keep hard copies of the updated plan at home and at the office so they have access regardless of when an attack happens and whether or not they can get on your corporate network.” And update the contact information monthly to ensure it stays current.
Planning for a cybercrisis is good business.
“No one is safe from cybercrime – no one,” Thomas concludes. “Whether you’re a small doctor’s office or a Fortune 500 company, it will happen. In the heat of the moment, you’ll be shocked to see the level of emotion that comes from this kind of crime. Having a plan is critical.”