All too often, businesses are falling prey to hackers and leaks. Whether the attack is local or global, the reputational damage can be extensive and long-lasting. In the week that the UK Government announces a new national cybersecurity strategy supported by a £1.9bn investment, we bring together our experts from both sides of the Atlantic – Rod Clayton, Co-Lead, Global Issues and Crisis and Patrick Chaupham, Creative Technology Strategist – to talk about about the role of communications when a cybersecurity crisis hits.
Q: Why do businesses and brands need to take cybersecurity seriously?
Rod: It’s becoming an ever more serious issue. We have potentially very serious threats to data security at exactly same time as we are seeing a massive increase in digital platforms and channels, in the speed at which information travels, and, crucially, in the accumulation of data by all sorts of organisations. Businesses are accountable for those data so they are having to work ever harder to ensure that they are secure.
Q: How is technology and the way we are using technology contributing to the threat of breaches?
Patrick: As platforms become more complex along with the need for integrated data, it’s exponentially increasing the issue. Think about how you use your own data. As we engage across an increasing number of media and digital platforms, mostly using the same identify and data set, there are more opportunities for vulnerability. At any one time, I might be signed into between 12 and 20 social, financial or personal apps, all tied to my identity, and any of them can fail.
Rod: And this is all happening at the same time as the number of devices we use is reduced; many people now do not have landline as well as mobile, or a PC as well as a laptop. We’re doing everything from one or two devices, and we’re doing it wirelessly, which demands extra caution.
Q: What’s the role of communications when a cybersecurity crisis hits?
Rod: The crucial thing is that many issues evolve over time – there is constant interplay between the considerations of stakeholders, lawyers, consumers, partners and regulators. When someone has accessed your system and taken information out of it, that’s happened and there’s nothing you can do about it. The plane has gone down. So everything depends on how you address the issue and particularly how you communicate around it. Once the event has happened, you will be judged on how transparent you are. But you have to be careful: sometimes businesses are so keen to be transparent that they exaggerate problems and cause unnecessary concern; there is a balance to be struck.
Patrick: Another aspect is employee advocacy. When a cyber crisis hits, you need to address it from a crisis communications standpoint, but also build on that with employee messaging and readiness. Brands need to ensure their employee audience is ready, as a first line of immediate defence.
Rod: Employee communications is crucial. It’s a valuable preventative measure as well, since some hacks have come about as a result of employees being careless. If problems do arise, effective internal communications are vital for relaying what has happened and what is being done about it. There is also a sense of duty of care: people trust you with their data and expect you to look after it. You’re certainly going to have to address people’s disappointment that you couldn’t keep their data secure. Part of it is resetting consumer expectations so that they understand that it’s in their interests to help companies protect their data.
Q: Are all cyber crisis responses created equal, or will action differ depending on industry sector, geography or audience?
Rod: There are geographical and cultural differences. Employee behaviour on social can vary, for instance, and different countries have different regulations and legislation, which can complicate things. In many jurisdictions, regulators and politicians are actively looking at how they can identify, manage and reduce cyber risk. In terms of sectors, any industry can be affected, but there are differences depending on consumer sentiment. One of the main things that consumers care about is whether their financial information has been taken or not, and people also care about personal information such as healthcare records. But a cyber crisis can affect any company that gathers and uses personal data.
Patrick: Different channels may be effective in different markets, and there are platform sensitivities: we’d address crisis preparedness and planning differently on social channels and owned digital properties, for instance. Whether we issue a blanket statement or very targeted communications will depend on which channels and tools are going to be most effective for that client and audience engagement.
Q: What are the implications if you don’t get communications around a cybersecurity crisis right?
Rod: That depends on factors such as how much consumers love the brand and how much they have truly suffered, but we certainly saw a lot of people voting with their feet after the Talk Talk cyber attack. If the CEO hadn’t done such a good job in the media, it might have been much worse. When consumers have no strong passion for the brand they will exercise choice and go somewhere else. This is partly to do with purely emotional aspects such as feeling that their trust has been betrayed. Also important is the extent to which a company has marketed itself as being safe, secure and trustworthy; but that can cut both ways.
Patrick: I agree. Consumer trust is transparent and can shift quickly thanks to digital and social platforms. If an unprepared brand is the subject of a cyber attack when it’s not ready with messaging and content, you can have a snowball effect and end up with a larger crisis. It’s worth saying again: it’s not just about the crisis itself, it’s about how you address it and how it plays out with your content and engagement strategy.
Rod: There’s also the question of language. There’s a big difference between just being hacked, and being breached, where hackers have actually taken information out of the company and possibly made use of it. One careless phrase used by a communicator can make a big difference to that company, even as to whether its insurers decide to pay out or not.
Q What tools do you use to support clients through a cyber attack?
Rod: With our Firebell crisis simulation software and training we can simulate the speed with which communications around a cyber-attack can take off. The speed is not surprising to social media managers who go through the training, of course, but lawyers are always shocked that the world isn’t always rational, and surprised at how fast things can take off and go in unpredictable directions. What lawyers think of as important are not always the aspects that consumers or the media latch onto. In a crisis, things can become true even when they are not.