Blog: Effective communication in a cyber crisis
Businesses have long been the target of digital scammers, fraudsters and hackers, but over the past few years cybersecurity attacks have become much more commonplace.
While not all have been as high-profile as Optus or Medibank, nearly all cause some form of operational, financial and reputational damage.
Recently released Australian Bureau of Statistics figures show that 1 in 5 businesses experienced a cyber security attack during the 2021-22 financial year, more than double the figure from 2019-20. The majority of these attacks related to scams or fraud.
The increasing number of cyber attacks has led many businesses to invest heavily in their IT and cybersecurity systems to mitigate the operational and financial risks, but businesses have been much slower to protect themselves from the reputational risks.
The higher-profile cyber-attacks escalated quickly and received extensive media coverage and social media commentary - not because of flaws in the businesses’ cyber security systems but because of how communications were managed.
There are lessons to be learned from every cyber-attack and many of the same principles apply to managing a cyber-attack as managing any other crisis. However, there are also a few communications considerations and requirements that are particular to a cyber-attack.
Based on our experience assisting clients with cyber issues, we’ve compiled a few simple tips.
- Ensure you have a crisis communications plan in place
The fear of a cyber-attack has been a motivator for some businesses to develop a communications plan. If you don’t already have a plan in place, you’re heightening your risk. While every crisis is different, a plan with clear protocols, roles and responsibilities is vital. Ideally, the plan should also be ‘road tested’ through practice scenarios and key spokespeople provided with media training.
- Act quickly
A cyber-attack may cause some unavoidable reputational damage regardless of how well you communicate. To avoid lasting damage to a business’s reputation, acting and communicating quickly where you can is key, particularly where the impact of the cyber-attack is obvious. This also extends to quickly understanding who has been impacted by the cyber-attack. For example, it may not only be a business’s direct customers or clients who are impacted, but also the customer’s customers. Noting this can be difficult in case of a ransomware attack where unknown personal information has been extracted.
- Control the narrative
In the long-term, it is better to be open, share details as best you can and control the narrative from the outset. The impact of a cyber-attack can be immediate and obvious but identifying the cause of the attack and a plan for remediation can take time. Customers and clients expect prompt, clear and honest communication when the services they depend on are disrupted. A void in communication can cause reputational damage. Initial communication may be as simple as acknowledging the issue and providing assurance that it is being investigated, but it should always be proactive not reactive. Communications and messages will inevitably evolve over time as the cause is identified and rectified.
- Understand your legal requirements
Some cyber-attacks, such as data breaches, where personal information has been accessed or disclosed, require individuals and the Office of the Australian Information Commissioner to be notified by the business. This requirement covers where the personal information disclosed is likely to result in serious harm. For more information, visit https://www.oaic.gov.au/privacy/notifiable-data-breaches.
- Check your cyber insurance policy and your insurer’s communication protocols
In some cases, where the financial risk is potentially high, insurance companies can exercise the right to appoint their own PR and legal advisors to work with businesses to oversee their response to mitigate risk and potential financial exposure for the insurer. While this expertise can be helpful, there’s also potential reputational risk associated with a business having their communications controlled or heavily influenced by a third-party.
- Develop a recovery plan
The reputational impact of a cyber-attack can vary according to its severity and how the communications have been managed. Regardless, a plan will need to be developed to rebuild trust and provide assurance that the risk of another attack has been significantly reduced. This may include communicating upgrades to your cyber security systems, sharing key lessons to benefit clients should they be faced with a similar issue or helping customers communicate with their customers about the impact of the issue.
Hughes | Consultant
Useful Resources
Australian Cyber Security Centre (ACSC)
Recent News
- SA tourism giants join forces on first day of forecast bumper summer season
- Adelaide Airport named Capital City Airport of the Year
- TikTok sensation Homeboy opens city café, supported by Renew Adelaide
- CH4 Global to attend Australia’s premier investment event
- $250 million Forestville project launch
- National Pharmacies recognises suppliers at 25th annual Supplier Awards
- Australian climate change leader Prof Tim Flannery to headline international seaweed conference debuting in Australia next March
- Yugo partners with RMIT to offer six Accommodation Support Scholarships
- Utopia Care wins national award for NDIS service provision excellence
- Adelaide welcomes back Emirates
- Two more Black Hawks delivered for Aerotech’s firefighting fleet
- Whole Asparagopsis seaweed much more effective than bromoform alone in reducing cattle methane emissions, study finds
- Helping Hand partners with Port Augusta Technical College to offer career opportunities in Spencer Gulf cities
- SA’s iconic Popeye to launch its second Ramsay Art Boat
- Hutt St Centre sees record annual demand as it marks World Homeless Day
- Guide Dogs Names Top South Australian Accessibility Advocates
- Pride advice acquisitions lead to growth
- Giving back brings rewards for talented international student of the year
- Blog: When did you last check your company’s digital health?
- National Pharmacies welcomes expanding scope of practice for pharmacists in SA