Crisis Communications During Cyber Incidents – What you need to do now!

Posted on 14 September

Charlie looks at crisis communications and the steps you can take now to prepare your organisation for a potential cyber incident in the future.


This week I am all cyber-ed up; on Monday and Tuesday I taught a great bunch of people attending our ‘Managing and Preparing for Cyber Incidents’ course, and on Wednesday morning I delivered a Cyber Briefing to a senior management team. As part of the course, we spend a couple of hours on crisis communications during a cyber incident, which got me thinking about what you should do in preparation for a possible cyber breach.

If you are properly ‘crisis ready’, you should have a crisis management plan, media trained spokespersons and pre-prepared communications scripts. However, I don’t think this is enough when you are responding to a cyber incident. It is a good baseline, but you have to move quickly and communicate fast in a cyber incident. You don’t have the time to scramble around and work out how to communicate with your affected stakeholder groups. With GDPR, you have a maximum of 72 hours to communicate the breach, but within that time you also have to contact all those impacted by the incident. This does not give a lot of time to identify stakeholder groups, develop communications and get the communications out to those whose data has been compromised. There are a number of steps you can take now, to prepare yourself and speed up the process for communicating with stakeholders.

The one thing about cyber incidents is that you don’t have a lot of time. You have a statutory responsibility under GDPR and a moral responsibility to warn your stakeholders that their data may have been compromised, and this needs to be done within 72 hours at the most. If your response is not seen to be organised and sufficient, you may be fined by the ICO. With GDPR just coming in, they may look to make examples of organisations who do not discharge their obligations sufficiently enough. So, business continuity people, you might need to take a break from horizon scanning advocated by this bulletin and start working on the above list with your communications people.

  1. Identify the worst-case scenario for what you could potentially lose, as well as what personal information and other data you hold. This should be down to fine detail, such as whether you hold National Insurance numbers or just names and addresses and how much credit card information you have. The average time a cyber hacker has been in an organisation’s systems before they are discovered is decreasing, in 2015 it was 200 days. If this is the case, there is a possibility that all of your data has been compromised and you should do a risk assessment to see what data you hold. I have delivered a webinar on this subject, which is available to view here: https://www.b-c-training.com/b... 
  2. You need to identify the groups you will need to contact if all of your data is compromised. This could include staff, customers, past customers, suppliers, previous job applicants and past staff. The list could be substantial.
  3. Next, you should determine how you will contact each group during a cyber incident. Will a post on the website or a statement via social media be enough? Or do you need to email, ring or write a letter to each stakeholder group? You also need to check whether you actually have the means to contact them. You may decide to email everyone, but when you look at the data, you find that you are missing 20% of the email addresses required. You should consider how you will contact the hard to reach groups, such as elderly people who may not use emails, the blind and those who have opted out of communication from your organisation. You also have to think about the details of contacting people. Will your email system let you send out 10,000 emails simultaneously? If you have to send out 250,000 letters, as the company I briefed on Wednesday would have to do, you would need to engage a mail fulfilment company. A contact to do this and then send the letters may take more than 72 hours, so you need to have a contract with a company in advance.
  4. Once you have done step three, you then have to do the same again if you do not have access to your systems and your databases as a result of being locked out by ransomware. This just makes it more difficult and adds another layer of complexity.
  5. It is worth writing prepared communications now, in the different mediums you would use for contacting various stakeholder groups. You know who they are and what information of theirs you hold, the only thing you don’t know is what data has been compromised by the breach and how it happened! 
  6. You need to decide if you are going to offer any support and advice to people who have had their data compromised. If you are going to offer a credit monitoring service to those impacted, I suggest that you look into this now. You should understand the service they offer, whether it is appropriate for your stakeholders and how to implement it. If you need to have this in place within 24/48 hours, it is probably worth having a call out contact for this. You also need to think about what help and support you will offer to those affected. If you are going to set up a helpline, where are you going to find the people to man it? Do they have the skills to help those calling in and what IT systems will they access to find out information those calling in might want? If your call centre becomes swamped and people can’t get through, this could lead to another negative media story that puts you back in the spotlight. 

The one thing about cyber incidents is that you don’t have a lot of time. You have a statutory responsibility under GDPR and a moral responsibility to warn your stakeholders that their data may have been compromised, and this needs to be done within 72 hours at the most. If your response is not seen to be organised and sufficient, you may be fined by the ICO. With GDPR just coming in, they may look to make examples of organisations who do not discharge their obligations sufficiently enough. So, business continuity people, you might need to take a break from horizon scanning advocated by this bulletin and start working on the above list with your communications people.