Not if, but when: preparing for the inevitable cyber attack

Last week I took part in an interesting online webinar discussing the communications tactics organisations could employ to help them respond to a cyber or data attack.  

Following the question and answer session (and some follow up engagement on LinkedIn), one of the things which seemed very clear to me was that organisations are still looking for ways to stop a cyber incident, rather than focusing on methods to respond to one. 

I guess that’s to be expected, but if there’s one thing we should learn from the number of cyber attacks happening around the world (Garmin, Nielson, Promo most recently) it’s that if you have limited resources, there’s only so much you can do to stop an attack happening. 

There are certainly measures businesses should put in place to make their data as secure as it possibly can be.  

But there is no absolute fail safe. As developments at home (a breach of the WA Health Department’s paging system) and abroad (Russian spies targeting UK COVID-19 vaccine research) would attest, the chances of a business never experiencing a cyber attack or a data breach are growingly increasingly slim. 

So, as the title suggests, this story deals with some of the communications planning businesses should put in place to be ready for not if, but when, they are hacked or lose control of sensitive information. 

I’d encourage businesses of all sizes to prepare as if this is an inevitability. The best–case scenario is they will find themselves with plans they never have to implement. If they aren’t so lucky and a breach of some kind does occur, at least they will have a strong reference point for how to start dealing with it. 

Here are five communications-related items businesses can (and should) be thinking about right now when it comes to their data. 

1. Stakeholders: if you are hacked or suffer a data breach, who are you going to have to tell? In my experience, businesses who haven’t got a comprehensive stakeholder list to refer to tend to forget interested parties and omit to communicate with them. 
2. Templates: In almost every type of crisis, having a set of pre-approved communications templates is an important starting point for dealing with the issue. A cyber attack or data breach is no different. In the days before social media, businesses might have had 24 hours before they had to publicly respond to a crisis. But that timeframe can be measured in minutes these days. Having a good idea of what you will/can say before you have to say it is smart planning and puts you in a position to tell your own story, rather than having someone else (potentially even the media) pick up the narrative for you. 
3. Preparing a plan: Speaking of plans, I estimate only a quarter of the businesses I deal with have a data breach/cyber attack response plan. Every business should have one, and each of those plans should also include details of how you will communicate in the event of being breached or attacked – including the responsibilities and roles of staff in those communications. Guidelines from the Office of the Australian Information Commissioner specifically state that companies are expected to plan for how they will communicate around a data breach. 
4. Preparing your people: I’ve said numerous times in the past couple of years that information security is less of an IT issue than it is a people issue. Simply put, you can put all the technological “solutions” in place that you like, but they aren’t really going to help if it’s human error which is responsible for the issue (which it is about a third of the time). Preparation of your people, therefore, involves coaching them not just on the systems and policies in place to protect your business’ data but also making them aware of the pre-emptive planning you’ve undertaken for dealing with a breach, putting them through media training if required and also considering whether rigorous scenario training will equip your team better to deal with a data crisis (at Cannings Purple, we have designed a tool called Situation Room, specifically for this purpose). 
5. Staying connected: The temptation for many businesses might be to see other companies go through data breaches or cyber attacks and react simply by saying “thank goodness that isn’t us”. That’s understandable but it doesn’t help them deal with a similar crisis when it’s their turn. Given the evolving methods of hackers and the constantly changing nature of data regulation, businesses should be regularly monitoring news events and advice from regulators to understand how they may be affected right now and in the future. That includes learning from the misfortune of competitors. 

I can say from experience that cyber attacks and data breaches are vastly different beasts to your “standard” business crisis. In many cases, the spotlight (including media interest) doesn’t just fade away after a couple of days or a week. It’s not uncommon for thousands of new affected parties to start appearing weeks after an incident was first brought to light and for businesses to still be taking steps to address the situation many months down the track. 

The duration and uncertainty of the crisis only multiplies the importance of good communications planning. 

But don’t just take my word for it. Official advice from the OAIC in relation to data breaches contains five times as many references to communications matters as it does to legal ones. 

There’s an important message in that for every business.  

Purple Director of Design and Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email  Jamie. 

More Purple News:

• Putting your best face forward in a webinar-heavy world
• The 268 Podcast: what is the GDN and why do I need it?
• Cyber attacks: the things you can be doing to protect your business

Main image by Muhannad Ajjan on Unsplash