Head in the Sand 8: the level of cyber crisis management preparedness is also woefully low, with many traditional crisis management techniques being inappropriate in a cyber crisis anyhow.
In addition to the low uptake of cyber insurance there are also very few organisations with crisis management cover. Many of those that do, are relying on traditional crisis management firms whose tactics are out of date and ineffective for cyber incidents. Some of these firms have recruited a few extra staff with some GDPR training, but few have adapted their techniques to the new realities. Most still focus on containment until a story breaks followed by a swift transition to ‘mea culpa’ where you admit your mistakes, and then ‘tell it all, tell it fast’ with your CEO taking visible ownership. The problems with this approach start with the fact that GDPR mandates prompt disclosure making containment impossible and the fact that ‘mea culpa’ approach is adopted on the assumption that if you show empathy then you’ll gain sympathy. This may work if you are a bank that has been robbed. The masked gunmen are obviously the villains and the bank, like its customers is the victim. The problem is that banks that get hacked are always awarded the blame. Nobody focuses on the hackers. Instead, whatever security measures the bank took, it is held to blame for the breach. Placing your CEO front and centre will simply put his position and personal reputation at risk, along with that of the organisation as a whole.
You need to work on the following assumptions. Firstly, you need to assume that you are likely to face a breach at some point – no organisation is 100% safe and failing to prepare means you are preparing to fail. Waiting until a cyber incident does occur before thinking of crisis management, is like waiting until you are drowning before thinking of learning to swim. Your best approach is to work with cyber crisis management experts on scenario planning and research this with realistic simulations so that when an incident does occur, and it will, you are ready for it and know how to respond.
Secondly, when it does happen you need specialist cyber law advice to rapidly formulate a legally defensible narrative and then plan how you are going to be able to stick to it. Containment isn’t an option and the ‘tell it all, tell it fast’ approach won’t win you any sympathy, so expect to be held to blame and be ready to weather the storm.
Thirdly, you can expect a good deal of hysteria and misinformation, but given that your credibility will be at an all time low and your brand will be more vulnerable than ever, you’ll need to be able to call on credible independent influencers to counter any hysteria and misinformation on your behalf.
It is an unfortunate reality that for traditional media, bad news makes big headlines and that across social media hysteria and misinformation is rife. Fortunately, however, there are some specialist crisis management specialists that focus on cyber incidents, working with the top cyber lawyers to help you formulate a legally defensible narrative and that are connected to networks of global influencers that can move into action immediately to counter any hysteria and misinformation.
Any such cyber incident crisis management specialists should act as an extended team in support your own internal team in the event of an incident, but the effectiveness of this kind of support is limited if they’re called in only after things have gone wrong. Giving them the chance to work with you in advance in order to fine tune scenario planning to your business needs and to rehearse realistic simulations with your executives, will maximise your ability to respond effectively to such incidents and thereby protect your brand and your reputation.