Opinion: 7 ways cybercrime requires a different kind of crisis comms
Kitty Parry, founder and CEO at Social Media Compliance – a company that assists businesses to achieve “compliant” social media status among staff – explains seven ways the rise of cybercrime requires brands to develop a different style of crisis comms.
The data breach is an entirely different kind of crisis from those communicators are usually prepared for. In fact, the threat of cybercrime requires you to turn your crisis communications plan on its head. Much of what has been assumed about crises is not only incorrect when applied to data breaches, but is directly opposed to what is really required.
It’s clear to me that managing crisis communications for conventional crises differs in at least seven ways from managing data breaches resulting from cybercrimes:
- Visibility
Conventional crisis: Every type of conventional crisis is highly visible as it occurs. Organisations have no doubt that they dealing with a fire, flood, workplace violence situation, break-in, indictment or other unexpected situation.
Cyber crisis: The organisation that suffers a data breach may not even be aware that it has happened for weeks or months after the initial event. Hackers ran malicious software that swiped customer credit card information in Home Depot’s systems for five months before it was discovered.
- Threat
Conventional crisis: Typical crises most often present a physical threat to people and/or property or, as in the case of a legal or regulatory crisis, a psychological and emotional threat to the organisation and its executives. Even in a legal crisis, the company may be viewed externally as the victim (of theft, embezzlement, fraudulent leadership).
Cyber crisis: A data breach rarely poses a physical threat to the victimised company, but it can lead to severe financial consequences for customers, suppliers and the company itself, as well as disastrous reputational harm to the company’s brand. While the business is indeed a victim in a cybercrime, it frequently is perceived as a perpetrator of harm to its customers and suppliers for failing to sufficiently defend against cyber intrusion.
Although the company may indeed have taken reasonable steps to ward off network intrusions, hackers and professional criminals have demonstrated that they consistently can find ways to surmount these defences. A result may be that the company harbours a false sense of security about its networks because of its investment in protection systems, making the organisation’s responsibility appear to be even greater when an intrusion ultimately does occur.
- Scope
Conventional crisis: A conventional crisis usually affects a geographically finite group of people—a company and its employees, a city, a state, a specific nation—who are at or close to the location of the crisis.
Cyber crisis: Data theft of misuse may directly and immediately damage the finances and reputations of millions of customers who are geographically far removed from the site of the breach. Additionally, an increasing number of cyber criminals are conducting blackmail attacks in which they enter a corporate network and encrypt all of its files, making them inaccessible to the company. The criminals then seek to extort millions of bitcoins from the company in exchange for restoring access.
- Response
Conventional crisis: The communications team can take action immediately to respond to a conventional crisis, even as it continues to unfold. Status reports can be delivered in news conferences, websites can be updated, email and text messages can be dispatched to help keep people safe as the crisis moves toward resolution and to project the organisation’s image of openness.
Cyber crisis: Immediate external communications must be issued in response to the cyber intrusion is not always the best practice. In fact, the action causing the crisis likely has been completed and what needs to be communicated is its potential sustained impact on others. Resolution may be months away.
- Crisis Team
Conventional crisis: Many crisis plans focus on the facility and who should do what to prevent a physical crisis from spreading, whether it be fire, flood, terrorist, power outage or other source of harm. In these plans, everyone plays a role in getting the company up and running again, managing their functions and areas in the plant, office or institution.
Cyber crisis: While everyone is responsible for using safe procedures online, cyber threats can be directly handled only by a small group of people from IT, the C-suite and perhaps outside technical experts. Most managers and employees will have little, if anything, to do with restoring the organisation’s capabilities. Therefore, they may feel frustrated at being unable to assist in speeding recovery and a return to normal operations.
- Messaging
Conventional crisis: Communicators prepare messaging for a very small group of people, perhaps the media spokesperson, a backup person, and top officers who will be communicating with regulators and customers. All others are advised to refer anyone who asks about the crisis to one of these spokespersons.
Cyber crisis: The entire organisation needs to be prepped with messaging. If a retailer suffers a data breach, checkout clerks must be equipped with messaging when people ask about the security of using their debit cards. Offhand, unprepared remarks from employees can lead the company to find itself in even deeper trouble. Yet saying nothing at all to inquiring customers can make the company look uncommunicative and guilty. Mass messaging must supplement executive messaging.
- Assessment
Conventional crisis: In every conventional crisis, a primary concern of company executives and investigators is to locate the root cause of the crisis and take action to forestall a repetition. This kind of assessment normally produces recommendations for changes in policies, procedures, ways to strengthen security systems and/or physical changes to the facility.
Cyber crisis: When a data breach occurs, the cause of the crisis may be easily discovered, but implementing steps to prevent its recurrence—such as arresting the cyber criminals or blocking their activities—may not be possible. Breaches frequently originate half a world away, where UK law enforcement has no jurisdiction and where the individuals responsible may be nearly impossible to identify. Organised gangs of cyber criminals operate from countries where British officials often have little or no political influence and where these criminals are not pursued by local governments.