A PR Plan to Respond to a Cyber Attack

We have experienced the gut wrenching moment when you learn that your business has suffered a cyber crime.

In our case it was our hosting company – a global organisation with hundreds of thousands of customers who were the subject of a ransomware attack.

We were lucky, the site was down over a short period and we protected the data, but in that time we felt powerless and angry. It could have been much worse.

If you are thinking about defending your organisation then the best place to start is the National Cyber Security Centre

But what can you do once the breach has happened to protect your business from the damage to your credibility with customers, employees and suppliers?

The short answer is hire a PR freelancer who understands both the nature of cyber crime and crisis PR and we have recently undertaken specialist training of a panel of our freelancers in conjunction with the North West Cyber Resilience Centre.

Rule One – Stop Being Angry and Get Busy on Your Communications Response

You are going to feel mad as hell and wanting to do bad things to the perpetrators. All of this is wasted energy and gets in the way of the urgent task of protecting your credibility with stakeholders – that is what is now at risk

Rule Two – Establish the Who

Are certain stakeholders legally obliged to know about a data breach?

Decide who else needs to be told and in what order. Has customer data been lost, but not employee data or vice versa?

Managed disclosure is ALWAYS better than a breach being leaked by a third party, so take control of the timing by first working out the order of who needs to be told when.

Rule Three – Establish the What

You have, if not a regulatory duty, at least a moral duty to allow the subjects of a data breach to mitigate their own risk, so you need to know exactly what data is compromised. It may not be as bad as your initial shock made you think. It could also be worse.

It may actually be helpful to overestimate the size and scale of the breach. Saying “it’s not as bad as we first thought” is a world better than having to go back and say it’s worse.

Rule Four – Establish the When

Hopefully you first hear about a breach from internal sources so you have the luxury of deciding when to communicate it. Don’t squander this advantage so the earlier the better puts you in control.

Stakeholders deserve to hear it from you, in words of your choosing and coming clean is always to your credit.

Having gained that first mover advantage, you have to maintain it by staying ahead of rumour even if it means revealing a worse picture than you first understood.

Rule Five – Establish the How

You have three main direct channels where you control the message: email, your website (home page and dedicated page) and social media. Ensure that you have a grid showing that all three are being used in sync and that there are no gaps in timing or contradictory messages.

You have the indirect channel of external media where your message is likely to be challenged or reinterpreted. Do not react to negative comment but respond to it where necessary.

On social media provide accurate replies to negative or harmful comments but steer well away from emotionally driven comments.

Anticipate reaction with supplementary information where valid questions are raised.

Rule Six – Establish the Message

Each case is different but generally

1. Accept Responsibility and Apologise  – it was your data to protect, even when users ignored advice on strong password protection etc
2. Avoid Sounding Like You Are Trivialising – your main job is to project trust, not sound like you are covering your backside
3. Avoid Blaming the Perpetrators – criminals are bad, this is not news and helps no-one
4. Avoid Shifting the Blame – a third party may be partly or mostly responsible, but it was up to you to avoid that vulnerability
5. Keep it Clear – jargon can sound like you are trying to hide behind words

Rule Seven – Turn Back the Clock

The best time to deal with a data breach is the day the after you’ve planned for one and got all your resources and procedures and responsibilities mapped out.

If you got the call today, how ready would you be and have your PR team got real crisis management experience?