A cyberattack does not only impact a company's computer systems, it also provokes a crisis situation, which threatens reputation, financial stock, and business continuity. In the event of a crisis due to a cyber incident, confidence of internal and external stakeholders and public perception of the company are at stake.
This is why you need to put in place effective crisis communication strategies, to mitigate the negative consequences of an attack. However, beware: when it comes to crisis management, there is no ready-made solution. It is 2022, digital security threats to businesses are too diverse and complex to be tackled at the same time in one internal memo. You need to build a bespoke crisis plan for your business, its stakeholders, and the operating environment. Don’t forget that in order to face and manage the crisis, you also need a plan ready to weather all conceivable cyber incidents.
Crisis communication refers to all the means of communication a company can use to address an issue that affects its organisation and its reputation. A crisis is a situation where the organisation of the company is likely to be thrown off balance, disrupting its processes and operating environment in the process.
Crisis communication mainly aims to limit the negative impact of a crisis on a brand and its products. In the event of a crisis, disaster prevention efforts, crisis responsiveness, and short-term decision-making are required. You can manage communication effectively and bypass potential controversies thanks to successful crisis communication planning.
Crisis communication should also be part of a company’s fundamental communication strategy, as it impacts all communication channels, from internal and external communication, public and press relations, and social media.
Furthermore, crisis communication is an integral part of crisis management, so it also calls for continuous consultation with general management and members of the crisis unit.
There are two commonly recognised components of crisis communication:
Crisis communication is a central part of crisis resolution. Without an appropriate crisis response, employees and other stakeholders are left to interpret the situation in their own way, encouraging the crisis to grow and develop to the point of threatening the organisation’s survival. A company going through a crisis due to a cyberattack therefore has a duty to go public with its side of the story and reassure its audiences.
The main objective of crisis communication is to allay concerns and protect the image of the company. Be careful, however, not to communicate for the sake of communicating – your crisis communication must convey your genuine intention to provide durable solutions to current malfunctions.
The general public is increasingly aware of the risks associated with digital security and cybercrime, and a company that realises how sensitive its audience is to these issues is more likely to communicate successfully.
Since 2016, the implementation of the General Data Protection Regulation (GDPR) also demands communication in the event of a confirmed cyber risk. To be thorough, articles 33 and 34 of this regulation stipulate that organisations should provide “detailed information to the supervisory authorities within 72 hours of detecting the problem, and as soon as possible to each natural person concerned if there is a high risk of infringement of their rights”. (Source: CNIL, In the event of personal data breach)
This is why the IT department, in collaboration with the communication department, must prepare crisis communication strategies, depending on the type of cyberattacks or system failures involved. In 2022, the most recurring cyber crimes targeting companies are:
The trick to surviving a crisis situation is to know how to appropriately time your communication. Sharing information with the public too early can negatively impact customer, shareholder, and stakeholder behaviour. Communicating too late, on the other hand, can deal a fatal blow to a company's reputation and financial stock.
Communicating about a crisis implies controlling the narrative and adapting the message to each stage:
1 / The pre-crisis phase: despite an apparent calm, signs of weakness nevertheless begin to arise. The conditions for the onset of the crisis start coming together. Internally, disturbing rumours begin to appear, which should set the communication and IT departments into motion.
2 / The acute crisis phase is when it really begins. At this stage, the company is at risk of losing control of the situation, and the media and stakeholders are alerted. It requires the activation of the crisis communication team and the implementation of the crisis communication plan that has been prepared upstream.
3 / Then comes the chronic phase. The crisis has been disturbing the company’s operations with its employees, shareholders, and stakeholders for a while. It is now, more than ever, time for the crisis communication team to reassure these different players by carefully choosing its communication channels and taking protective and restorative measures.
4 / The post-crisis phase sees the company adapt to its new circumstances. It should learn from the crisis and adjust its structure and procedures. In the event of a cyberattack, for instance, the company could invest in a more robust antivirus protection system.
The post-crisis phase constitutes an exit from the crisis situation: relevant data is archived and the crisis task force is shut down – things are now “back to normal”. However, this cooling down should not be taken for granted. Crisis communication theorists indeed observe that organisations that assume that a crisis is over too soon can quickly return to a pre-crisis phase.
A crisis has an impact on various players who stand out as priority targets in your crisis communication. These stakeholders are, in order of priority, as follows:
1 / The victims of the cyber incident are your “priority target”. These may be customers whose personal data has been stolen or internet users who can no longer access your website.
2 / The internal stakeholders of the company are your “secondary targets”. Informing your employees enables you to influence their own communication with the outside world. Do not bet on confidentiality in this situation – you may have to mop up leaks. On the contrary, reassure staff, anticipate the sorts of requests that they might encounter and give them the appropriate tools to communicate.
This crisis communication target includes unions and staff representatives, executives, various departments, suppliers and wholesalers, prospects, and consultants (accountants, lawyers, and insurance agents). Of course, this audience also includes investors and stock markets.
3 / Next comes the press, whether regional, national, or international. It is up to you to determine whether your press release should primarily target general or specialised media and whether it should target television, radio, or print media first, depending on your activity and the nature of the cyber crisis.
4 / If appropriate to your business context, also consider contacting political stakeholders such as elected officials, the relevant administrative institutions, and the official inspection authorities.
5 / Ultimately, you may also choose to communicate with professional associations in your sector. This move helps maintain your reputation if you are seen to be focused on solving the crisis.
Functional crisis communication depends on how successful the company was in anticipating upstream. This is why crisis communication has to follow a meticulous procedure, detailed in the digital security risk management plan.
If it is well constructed, your crisis management plan includes a communication strategy that breaks down into the following major components:
Also, consider having your operational crisis communication process typed or written down on paper; if a crisis occurs because of a cyberattack, you may no longer be able to access the digital version.
These components are also based on concrete assets:
In the event of a crisis, your company is vulnerable to major disruptions. To be effective, your crisis communication team needs to show rapid decision-making and must apply the crisis management plan with pragmatism.
Your team needs to adapt to the specific fallouts brought on by a cyberattack, and it is also required to determine who the victims are. By doing all of this, your team members will be able to adjust your communication strategy. In any case, keep a few major crisis communication principles in mind, even if it means straying from the plan:
In addition to these major rules, you should tailor your communication plan to the reality of the cyber incident:
The first messages you broadcast to outpace the press must include these few essential elements:
Structuring your communication in this way helps you to break it down into factual and emotional messaging, both of which can be beneficial in the right measures. It is up to you to work out which angle best suits your situation and objectives. Whatever happens, never settle for a “no comment” that could be construed as an admission of guilt.
Crisis communication aims to prevent the company from having its image tarnished, losing consumer confidence, and suffering financial stock losses.
Cyber crisis communication is akin to a natural disaster, as you have to deal with hard circumstances: pressure from external players, daunting challenges of survival, impossible deadlines, and uncertainty.
Companies can opt for acknowledging the failure, which is the most common position in a cyberattack. Secondly, in some instances, they may choose to create a diversion by talking about other issues and putting the blame on outside players. Alternatively, they might decide not to communicate at all, but this is a risky option.
related to cybersecurity and cyber risk quantification