A cyberattack does not only impact a company's computer systems. It also provokes a crisis situation, which threatens reputation, financial stock, and business continuity. In the event of a crisis due to a cyber incident, it is the confidence of the internal and external stakeholders and the public perception that are at stake.
This is why you need to put in place effective crisis communication strategies, to mitigate the negative consequences of the attack. However, beware: when it comes to crisis management, there is no ready-made solution. It is 2021, digital security threats to business companies are too diverse and complex to be tackled at the same time in one brief. You need to build a crisis plan customized to your business, its stakeholders, and the environment. Please note that in order to face and manage the crisis you also need a plan ready to weather all conceivable cyber incidents.
Crisis communication refers to all the means of communication a company has to use to address an issue that affects its organization and its reputation. A crisis is a situation where the organization of the company is likely to be thrown off balance, so much so that its processes and environment are being altered.
Crisis communication mainly aims to limit the negative impact of the crisis on the brand and its products. In the event of a crisis, disaster prevention efforts, crisis responsiveness, and short-term decision-making are required. With enough crisis communication planning, then you can manage communication effectively and bypass potential controversies.
Crisis communication is also part of the institutional communication of companies. It transversally affects areas as diverse as internal and external communication, public and press relations, and social media.
It also calls for continuous consultation with general management and members of the crisis unit. Crisis communication is indeed an integral part of crisis management.
There are two commonly recognized components of crisis communication:
Crisis communication is a central part of crisis resolution. Without an appropriate crisis response, employees and other stakeholders are left aside with their interpretation of the situation. The crisis then feeds itself to the point of threatening the survival of the organization. The company going through a crisis due to a cyberattack therefore has a duty to go public with its side of the story and reassure its audiences.
The main objective of crisis communication is to allay concerns and protect the image of the company. Be careful, however, not to communicate for the sake of communicating. Your crisis communication must convey your genuine aspiration to provide solutions to current malfunctions.
The general public is more and more aware of the risks associated with digital security and cybercrime. A company that takes the right measure of how much its audiences are sensitive to its issues is more likely to communicate successfully.
Since 2016, the implementation of the General Data Protection Regulation (GDPR) also demands communication in the event of a confirmed cyber risk. To be thorough, articles 33 and 34 of this regulation provide “detailed information to the supervisory authorities within 72 hours of detecting the problem, and as soon as possible to each natural person concerned if there is a high risk of infringement of their rights ”. (Source: CNIL, In the event of personal data breach)
This is why the IT department, in collaboration with the communication department, must prepare crisis communication strategies, depending on the type of cyberattacks or computer malfunctions involved. In 2021, the most recurring cyber crimes targeting companies are:
The trick to surviving a crisis situation is to know how to appropriately time your communication. Sharing information with the public too early can negatively impact the behaviour of customers, shareholders, and other business partners. Communicating too late, on the other hand, can deal a fatal blow to a company's reputation and to its financial stock.
Communicating about a crisis implies controlling the narrative and adapting the message to each stage:
1 / The pre-crisis phase: marked by an apparent calm, it is nevertheless punctuated by weak signals. The conditions for the onset of the crisis are coming together. Internally, this phase corresponds to the apparition of disturbing rumours, which should set the communication and IT departments into motion.
2 / The acute crisis corresponds to the phase when it really begins. At this stage, the company is at risk of losing control of the situation. Now the media and stakeholders are alerted. It requires the activation of the crisis communication team and the progress of the crisis communication plan that has been prepared upstream.
3 / Then comes to the chronic phase. The crisis has been destabilizing the company’s relationship with its employees, shareholders, and stakeholders for a while. It is now time more than ever for the crisis communication team to reassure these different players by carefully choosing its communication channels and taking protective and restorative measures.
4 / The post-crisis phase sees the company adapt and transform itself to the new circumstances. It learns from the crisis and adjusts its structure and procedures. In the event of a cyberattack, for instance, the company invests in a more efficient anti-virus protection system.
The post-crisis phase constitutes an exit from the crisis situation: relevant data are archived and the crisis task force is closed. Things are now “back to normal”. However, this cooling down should not be taken for granted. The theorists of crisis communication indeed observe that, should the company do so, it would then return to a pre-crisis phase.
The crisis has an impact on various players who stand out as priority targets in your crisis communication. These stakeholders are organized in sequence, as follows:
1 / The victims of the cyber incident are your “priority target”. These may be customers whose personal data have been stolen or Internet users who can no longer access your website.
2 / The internal stakeholders of the company are your “secondary targets”. Informing your employees enables you to influence their own communication with the outside world. Do not bet on confidentiality in this situation, you would have to mop up leaks. Give them, on the contrary, communication keys vis-à-vis the requests they might receive, and reassure them.
This crisis communication target includes unions and staff representatives, executives, various departments, suppliers and wholesalers, prospects, and consultants (accountants, lawyers, and insurance agents). Of course, this audience also includes investors and stock markets.
3 / Next comes the press, whether regional, national or international. It is up to you to determine whether your press release should primarily target general or specialized media and whether it should target television, radio, or print media first, depending on your activity and the nature of the cyber crisis.
4 / If your entrepreneurial activity allows it, also consider contacting political stakeholders such as elected officials, the relevant administrative institutions, and the official inspection authorities.
5 / Ultimately, you may also choose to communicate with professional associations in your sector. This move helps maintain your reputation if focused on solving the crisis.
Functional crisis communication depends on how successful the company was in anticipating upstream. This is why crisis communication has to follow a meticulous procedure, detailed in the digital security risk management plan.
If it is well constructed, your crisis management plan includes a communication component that breaks down into the following major axes:
Also, consider having your operational crisis communication process typed or written down on paper: if a crisis occurs because of a cyberattack, you may no longer be able to access the digital version.
These axes are also based on concrete assets:
In the event of a crisis, your company is vulnerable to major disruptions, to be effective your crisis communication team needs to show rapid decision-making and must apply the crisis management plan with pragmatism.
Your team needs to adapt to the specific malfunctions encountered subsequently to the cyberattack. It is also required to determine who the victims are. By doing all of this, your team members will be able to adjust your communication strategy. In any case, keep a few major crisis communication principles in mind, even if it means straying from the plan:
In addition to these major rules, you should tailor your communication plan to the reality of the cyber incident:
The first messages you broadcast to outpace the press must include these few essential elements:
These informational categories refer to two notions detailed by Thierry Libaert in his book Crisis communication : technical crisis communication which details facts, and symbolist communication, which is more about emotions. It is up to you to work the angle that best suits your situation and your targets. Whatever happens, never settle for a “no comment” that would be an admission of guilt.
Crisis communication aims to prevent the company from having its image tarnished, losing consumer confidence, and suffering financial stock losses.
Crisis communication is akin to a natural disaster really, as you have to deal with hard circumstances: pressure from external players, daunting challenges of survival, impossible deadlines, and uncertainty.
Companies can opt for acknowledging the malfunction which is the most common position in a cyberattack. Secondly, in some instances, they may choose to create a diversion by talking about other issues and putting the blame on outside players. Alternatively, they might decide not to communicate at all, but this is a risky option.
related to cyber risk quantification