Blog: Effective communication in a cyber crisis
Businesses have long been the target of digital scammers, fraudsters and hackers, but over the past few years cybersecurity attacks have become much more commonplace.
While not all have been as high-profile as Optus or Medibank, nearly all cause some form of operational, financial and reputational damage.
Recently released Australian Bureau of Statistics figures show that 1 in 5 businesses experienced a cyber security attack during the 2021-22 financial year, more than double the figure from 2019-20. The majority of these attacks related to scams or fraud.
The increasing number of cyber attacks has led many businesses to invest heavily in their IT and cybersecurity systems to mitigate the operational and financial risks, but businesses have been much slower to protect themselves from the reputational risks.
The higher-profile cyber-attacks escalated quickly and received extensive media coverage and social media commentary - not because of flaws in the businesses’ cyber security systems but because of how communications were managed.
There are lessons to be learned from every cyber-attack and many of the same principles apply to managing a cyber-attack as managing any other crisis. However, there are also a few communications considerations and requirements that are particular to a cyber-attack.
Based on our experience assisting clients with cyber issues, we’ve compiled a few simple tips.
- Ensure you have a crisis communications plan in place
The fear of a cyber-attack has been a motivator for some businesses to develop a communications plan. If you don’t already have a plan in place, you’re heightening your risk. While every crisis is different, a plan with clear protocols, roles and responsibilities is vital. Ideally, the plan should also be ‘road tested’ through practice scenarios and key spokespeople provided with media training.
- Act quickly
A cyber-attack may cause some unavoidable reputational damage regardless of how well you communicate. To avoid lasting damage to a business’s reputation, acting and communicating quickly where you can is key, particularly where the impact of the cyber-attack is obvious. This also extends to quickly understanding who has been impacted by the cyber-attack. For example, it may not only be a business’s direct customers or clients who are impacted, but also the customer’s customers. Noting this can be difficult in case of a ransomware attack where unknown personal information has been extracted.
- Control the narrative
In the long-term, it is better to be open, share details as best you can and control the narrative from the outset. The impact of a cyber-attack can be immediate and obvious but identifying the cause of the attack and a plan for remediation can take time. Customers and clients expect prompt, clear and honest communication when the services they depend on are disrupted. A void in communication can cause reputational damage. Initial communication may be as simple as acknowledging the issue and providing assurance that it is being investigated, but it should always be proactive not reactive. Communications and messages will inevitably evolve over time as the cause is identified and rectified.
- Understand your legal requirements
Some cyber-attacks, such as data breaches, where personal information has been accessed or disclosed, require individuals and the Office of the Australian Information Commissioner to be notified by the business. This requirement covers where the personal information disclosed is likely to result in serious harm. For more information, visit https://www.oaic.gov.au/privacy/notifiable-data-breaches.
- Check your cyber insurance policy and your insurer’s communication protocols
In some cases, where the financial risk is potentially high, insurance companies can exercise the right to appoint their own PR and legal advisors to work with businesses to oversee their response to mitigate risk and potential financial exposure for the insurer. While this expertise can be helpful, there’s also potential reputational risk associated with a business having their communications controlled or heavily influenced by a third-party.
- Develop a recovery plan
The reputational impact of a cyber-attack can vary according to its severity and how the communications have been managed. Regardless, a plan will need to be developed to rebuild trust and provide assurance that the risk of another attack has been significantly reduced. This may include communicating upgrades to your cyber security systems, sharing key lessons to benefit clients should they be faced with a similar issue or helping customers communicate with their customers about the impact of the issue.
Hughes | Consultant
Useful Resources
Australian Cyber Security Centre (ACSC)
Recent News
- Fleet Complete launches AI powered dash camera to the Australian market
- Groundbreaking disability housing project opens in Tea Tree Gully
- VAILO lights up the Tolmer Speedway
- West Beach Parks partners with Discovery Parks to grow holiday park visitation
- Detpak launches largest Australian compostable PBS range to cut plastic use
- CH4 Global Named “AgTech Sustainability Solution of the Year” in 2024 AgTech Breakthrough Awards
- Walk a Mile in My Boots this Homelessness Week
- Inaugural affordable housing development for women celebrates ‘topping out’ milestone in Adelaide
- Australian innovators push ‘go’ for first export of reduced methane beef
- West Beach Parks unveils $2.9 million community square and play space
- Adelaide Airport and Virgin Australia trial first ‘Try Before You Fly’ for people with disabilities and other health needs
- More support for Riverland’s wine grape growers
- Australia’s first Certified Passivhaus Training facility launches in Qld today
- Documentary gives Elders voice for years to come
- Blog: Work experience student Brock shares about his enjoyable week at Hughes
- VAILO unveils new flagship luminaire variant for airport aprons, sea ports, court sports and more
- Blog: The Goldilocks, Rumpelstiltskin and Pollyanna of PR – how to get it just right
- Community engagement starts on the future of McLaren Vale Hospital site
- Blog: Welcoming work experience student Summer from St Aloysius College
- SA community housing tenants access cheap electricity in Australian-first partnership