On a bright and early morning, a number of people from local businesses joined us at The Bond for our latest SL/CED seminar ‘How to manage a crisis response’ on Friday 22nd March.
Our SL/CED events are a series of seminars designed to give marketing advice in small, easy-to-digest chunks. We’ve previously ran events on marketing messages, social media, and websites, but this time we wanted to focus on more of a business issue – managing a crisis response.
We wanted to discuss how to deal with a crisis response in this digital age we live in. We invited guest speakers, from a law firm and cyber company to help us explore this scenario. Chris Woods and Vishvas Nayi from CyberQ Group, an award-winning cyber security company, brought their knowledge of how a cyber breach can happen and what businesses need to do when it does happen. Chris Recker from international law firm, Trowers & Hamlins, provided insight on the legal playbook and what the legal requirements are when a breach happens. Managing Director at Digital Glue and PR expert, Javan Bramhall, discussed what communication strategies you need to have in place during and post crisis.
If you couldn’t make it, here are some of the key takeaways from the seminar.
1. When a crisis happens, it’s not just a cyber or IT problem – it’s a business problem!
When a crisis breaks it’s not one thing, it’s not just an IT problem, or a legal problem, it’s a multi team, discipline effort. If a cyber-attack happens, it’s not just cyber security problem, cyber security is one element you need to consider when you have a breach. It’s important to have your security, legal and communications teams all working together.
2. Know your threat actors and their motivations
Every attack begins with a person and every person has a motivation. If a breach happens, remember, it’s a person behind that attack. Attackers have different motivations.
Here are some of the most common threat actors and motivations:
Hacktivists are passionate about a belief such as the environment, poaching, capitalism, etc, when they breach you, they let you know. They tend to go after your social media accounts and websites. They want to get their message seen, so when they go after you and they want you to know why.
Cybercriminals is a billion-dollar industry, this is highly skilled team of individuals working closely together to compromise organisations and it’s not just targeting banks – it’s targeting intellectual property.
For an example, a company is working with a big hedge fund, one of the hedge funds has been comprised and you obtain a spreadsheet of everything they are going to invest in the next three years. How much is that information worth? Potentially millions or even billions. Cyber criminals are after intellectual property, just like this, because this gives them the advantage.
An insider threat is when an ex-employee or current employee has access to your data, and intends to sell it on the dark web. An insider threat can be particularly difficult because of that trusted relationship, and they have access to your systems and company information. This can be extremely difficult to spot, and this is why you need the right processes, procedures, and technology to pick that up.
This is what you’ll read about in the mainstream media, government hacks. This is where another government wants to hack into another government.
3. Prevention is better than cure
Action Fraud estimates that 70% of all fraud is cyber enabled and that statistic will keep increasing in this digital age.
Prevention is better than cure. The better prepared you are, the better you are going to mitigate the effects of an incident happening. Having legal policies and procedures in place means you have another line of defence from an incident. Especially when the regulators start investigating, they’ll what to know what you’ve been doing, and more importantly, what you haven’t been doing. Having policies and procedures in place will help you deal with the financial and non-financial losses that occur when a breach takes place. For example, direct financial losses, investigation costs, cost of lawyers, cost of cyber experts. Non-financial losses such as reputation damage, loss of management time.
4. Follow the plan and act quickly!
If you have a plan it allows you to move quickly, therefore preventing more damage and loss from occurring. If you want to stop money being taken from an account, you may need freezing injunctions to stop the flow of the money. If it’s an insider threat and an employee who’s trying to sell your data on the dark web, you may need an injunction to stop them. If an incident occurs, do not wait, act quickly!
5. Bring the experts in
Again, this isn’t just a legal, or cyber matter, so the legal team will bring in the experts for specific incidents, like a cyber security expert if there has been a cyber breach. The legal team will bring in the PR and communications company to deal with the internal and external communications. You need to have the right team of people who know what they are doing. You may even need a team of forensic accountants, once you get an idea of where the threat has come from, you might need to bring in asset tracers to find what who they are and where they are. They can find out whether they have money or if they’ve moving it and detect suspicious activity. All of these experts are there to help you deal with this crisis, and potentially give evidence in court later down the line, therefore they need to be credible.
6. Reputational damage affects the profit of your business
Reputational damage sounds very high level, but actually, reputational damage is bottom line. Reputational damage affects the profit of a business because you may not even have a business after the result of reputational damage. That’s why reputation is so valuable and important to your business. What communication allows you to do, is manage that reputational risk and damage, and overall, build and maintain trust. Building that trust is what is going to help you deal and respond to this crisis.
7. Own the crisis
The first thing to do in any crisis is to take ownership. This can be challenging and can feel difficult, because if you’ve been the subject of a malicious cyber-attack it might not feel like your fault. However, there are very few quicker ways to erode trust in you and your business than not taking responsibility. From a communication perspective we use the three A’s:
You need to begin by acknowledging that the crisis has happened/is happening. This begins the whole communication process, because you’re letting people know that there’s something not right.
Accept responsibility. This can be difficult to do, especially if your business has suffered an attack, you might not feel like it’s actually your fault. Accepting that responsibility is the first step of building trust.
There are very few things more disarming and which can diffuse situations than a genuine apology. It isn’t the only thing, but by saying sorry early and categorically, you show that you care and that you want to fix the issue. This can be a simple email that goes out to all of your customers, acknowledging, accepting and apologising for mistake. Saying sorry goes a long way.
You can read more about this in our previous blog post “How to respond to a PR crisis”.
8. Have a plan
The final thing, and you could probably start with this, is to have a plan. If something goes wrong, how are you going to handle it? This plan is going to cover more than just security and crisis communications, but in order to stop us from panicking and getting things wrong in the first instance, having a plan and direction for our security, legal obligations and communications will enable us to make sure we cover everything off.
The key thing to remember in any cyber crisis is that you need to cover all three elements, cyber security, legal and communications. If you only deal with one aspect, it’s only going to solve one part of the problem. That will not help you survive a crisis and it will not prevent a crisis hitting your business.