“Be Prepared” - Ensuring your organisation is ready for a cyber-attack
Tags: Crisis Communications,
digital and design,
Media Officer, Sarah-Jane Aston
As we become more dependent on technology to support our businesses, the risk of a company suffering a cyber-attack grows. The recent global attack that affected at least 150 countries and more than 200,000 computers is an example of how much of an impact such breaches can have on business.
It saw computers in organisations that ranged from hospitals to banks to corporates encrypted by a modern-day highway robbery tactic known as ransomware: Pay up in bitcoin or your data gets it.
Beyond the operational implications, the reputational impact can be huge. Gone are the days when organisations could relegate the responsibility of cyber-security to their IT departments. It’s now up to boards and management teams to ensure each company has a solid cyber crisis management plan in place.
From a communication perspective, preparing a plan to engage with your stakeholders in the aftermath of a cyber-attack is as important as preparing and monitoring your IT infrastructure. The potential damage to an organisation’s reputation if an unreported cyber-attack is later revealed is limitless.
in fact, from February 22, 2018, mandatory reporting will mean that if an organisation subject to the Australian Privacy Act 1988
is affected by an "eligible data breach", it will be legally obliged to alert both the Australian Information Commissioner and the people whose data has been compromised.
An eligible violation is defined as “data breaches, including data loss incidents, where a reasonable person would conclude that the breach would be likely to result in serious harm
to any of the affected individuals”. Organisations have 30 days to complete an assessment of a suspected breach and if an “eligible data breach” is deemed to have occurred they must provide affected individuals with the following information:
The identity of the organisation
The description of the breach
The kind of information concerned
Recommendations to the individual as to steps to take in response to the breach.
It’s not immediately clear from that definition whether last week’s ransomware attack would count, though it is likely it would incorporate a data loss incident, even if it looks like the data is being locked rather than stolen.
For ASX-listed companies that are subject to continuous reporting obligations, there is the added layer of shareholder reporting. Despite potentially not being in a position to quantify the violation at an early stage, there is a requirement to report material information as soon as practicable.
The solution, at least from a reputation management standpoint, is clear: a crisis communication plan that identifies key stakeholders, protocols and required engagement will ensure your business is well-prepared should the unthinkable happen.
So, from a practical perspective, what are the key things to consider?
First of all, recognising there has been an issue, and sharing what you are doing about it, is vital. There may be different messages for different stakeholders, but getting on the front foot and acknowledging the issue is always a better tactic than hoping it remains secret. Being transparent about the information you currently have, and that which you don’t yet know, is also vital.
Secondly, offering support to those affected is important, but only if it’s genuine. There’s no point having one set of public messages if your private behaviour doesn’t support your position. Transparency and honesty are important.
Communicating with staff will also be critical to ensure they are aware of what’s happened, wary for signs of another attack and clear about the organisations communication and social media policy. Customer-facing employees will require briefing on the amount of information they can relay. Informing and reassuring staff regarding the status of their own personal data is also incredibly important.
Perhaps most importantly, recognise when you need support. If your organisation lacks the resources necessary to create or implement a cyber crisis communication strategy, seek out support.
Cannings Purple has the expertise and experience to ensure your organisation is prepared for a cyber-attack and to assist you to manage situations as they unfold. If you would like to discuss your cyber crisis communication plan, please contact us
on 08 6314 6300.