Cyberattacks Put Your Reputation at Risk
The reputational risk of a major cybersecurity breach to corporations cannot be overstated, as impacted companies can see trust erode among key stakeholder groups, lose once-loyal customers and partners, and face intense regulatory scrutiny. A Forbes/IBM study found that 46% of organizations that experienced cyberattacks suffered damage to their reputations and brand value as a result of the breach. While a company may not be able to prevent being targeted, it can control what it says and does should it become a victim of a cyberattack. How it communicates with key stakeholders will directly influence the immediate aftermath and long-term impact on the business.
We advise companies to keep in mind several important principles as they prepare to communicate in the wake of a cyberattack:
- By failing to prepare, you are preparing to fail.
The most important element of a cybersecurity breach is often the work done ahead of time. Every company should develop a “break glass” plan for the most likely cyber scenarios, which can guide immediate steps in the event of a crisis. While no one can anticipate all possible scenarios (nor should they try), having a clear sense in advance of the team that needs to be engaged, the materials that will be required, and templates that can serve as starting points will help maintain order and reduce confusion in the first minutes, hours, and days. Well in advance of experiencing an attack, you should run a full simulation involving realistic challenges and the full team that would handle the real thing. Then, refresh the plan and rerun the simulation on a regular basis: new hires, organizational shifts, and changes in the cyberattack landscape can render a cyber preparedness plan inadequate if it’s not updated as the years go by.
2. Being transparent doesn’t mean getting ahead of the facts.
When a cyberattack is first detected, the communications team can usually anticipate the questions they will get from the company’s stakeholders. What data was involved? How many users or customers were impacted? How did the bad actors gain access? When will normal operations resume? Could it have been averted? How will you prevent it from happening again? The answers to those questions, however, may be much harder to come by in the early stages, and it may take weeks, months, or longer for an investigation to yield a full set of facts. Before that investigation is complete, spokespeople should be concise and intentional with messaging, prioritizing authenticity but never sharing unconfirmed details and unnecessary statistics. Sharing conflicting information or information that is ultimately proven incorrect with stakeholders is one of the quickest ways to lose trust and credibility. Instead, share only what is certain, factual, and necessary. Don’t provide updates just for the sake of communicating. Focus on what stakeholders need to hear, rather than just what you want to say.
3. Utilizing leaders and protecting them from scrutiny is a balancing act.
Stakeholders will want to hear from company leaders, not just from public relations spokespeople. Be thoughtful about how a company utilizes top executives and the CEO. These leaders can provide credibility and demonstrate accountability, but only if you set them up for success. Avoid placing them in public-facing situations where they can’t answer questions or deliver a clear message, and instead create a more private atmosphere wherein they can deliver controlled remarks, such as an employee town hall. If you anticipate a reporter will question them, consider answering or providing a statement via email.
Companies should also support executive communications by arming external-facing teams with the tools they need to communicate with stakeholders. A customer service hotline or email dedicated to this specific issue can provide a more private and controlled outlet for conversations and concerns, without overpromising solutions or providing an inaccurate timeline.
Pay equal attention to stakeholders that may not be directly impacted but will absolutely care about the issue, such as employees and investors. The investor relations team should be prepared to field calls from top investors and human resources should proactively engage with employees to address their questions and maintain morale.
4. Lightning actually can strike twice in the same place.
Remember that a company is still vulnerable, even immediately after an attack. In more than 50% of cases, criminals return to attempt a second breach within 12 months. Following a breach, debrief with the designated crisis response team to discuss what worked and what could be improved, and refresh the cyber preparedness communications plan accordingly. Stakeholders will be less forgiving if a company makes the same mistakes twice. If you commit to ensuring protections and then fall victim to another attack, you will squander whatever trust you worked hard to gain after the first attack. Be sure discuss the work done to improve cybersecurity practices after an attack, while at the same time exercising caution to prevent providing a roadmap for future cybercriminals or goading others into attempting an attack.
While painful and disruptive to business operations, a cyberattack can be an opportunity to pivot, introduce new equipment and personnel, and refresh the products, tools, and services a company offers and uses. Well managed communications efforts before, during, and after the attack can allow the company to shift from a crisis into a leadership moment. Industry peers will be waiting to see if and how a company moves forward and learns, looking for communications takeaways that they can implement for themselves.
Emma Prenn-Vasilakis is a Vice President at Abernathy MacGregor. She supports publicly traded and privately held companies on complex strategic communications matters and has significant experience with crises and special situations, including reputation management, cybersecurity, and litigation. She also assists clients with corporate strategy and financial communications, including company milestones and transformations, mergers and acquisitions, and shareholder activism.