Chances are you or your business have been hit by a cyberattack. Research from the University of Maryland shows that on average, a hacker attack occurs every 39 seconds, affecting 1 in 3 Americans every year. As cyber threats become more sophisticated, businesses of all sizes and all industries remain vulnerable. In fact, 43 percent of cyberattacks target small businesses, which means that we’re all equally susceptible to a cyberattack impacting our business.
While the rate at which cyberattacks occur is alarming, what’s even more alarming is the fact that most companies have no plan in place for how to communicate with key stakeholders when one occurs. According to a report from the Ponemon Institute conducted on behalf of IBM, more than 77 percent of organizations do not have a cybersecurity incident response plan. This is true despite the fact that an estimated 54 percent of companies reported that they have experienced one or more attacks in the last 12 months.While it’s become increasingly harder for companies to fully protect themselves from a cyberattack, you can control how well your company is prepared and how you respond in the wake of a data breach. Most companies take nearly six months to detect a data breach, which means by the time your business becomes aware of it, you are already playing catch-up. Not having a response plan in place leaves you even more vulnerable and hinders your ability to respond quickly and effectively. This lack of preparedness puts you at a greater risk for additional damages to your overall business and your reputation. The quicker you can get your message out the better chance you have of being able to control the story, share important facts, and protect your company’s reputation and brand.
Creating a plan before you need it can help you successfully weather a cyberattack, ensuring that you are able to respond quickly, demonstrate concern for your customers and clients and reinforce your commitment to preventing future attacks.
Some key plan elements to consider include:
1. Establish a Crisis Communications Team – You need to delineate who needs to be involved in navigating the crisis and have emergency contact information for each team member. Identifying roles for each person based on their position and expertise within the company is also helpful. For example, who is in charge of fielding media requests, who is monitoring review and social sites for comments, and who is communicating with customers or clients?
2. Identify a Spokesperson – One person from your organization, ideally a member of the crisis communications team, should be selected as the sole spokesperson to release statements and address questions related to the crisis. This appointment should be communicated companywide and no one else from your organization should offer public comments. You might also consider investing in media training for your designated spokesperson.
3. Key Messages – Think about how a cyberattack would threaten your business and affect your customers or clients. Your messaging should include five core components when it comes to responding to a data breach or any crisis: (1) Acknowledgment of the breach, (2) An expression of empathy for how the breach has impacted your customers or clients, (3) Insight on your organization’s values and how those values will help guide your response and actions, (4) Your approach to managing the breach including actions that you have already taken and those that are underway, and (5) Steps you have taken to ensure a breach doesn’t happen again and how you are working to protect those impacted, which can include free credit and identity theft monitoring as well as new security measures and processes.
4. Internal Procedures – Outline how the organization will communicate with employees in the event of a cyberattack and how they will be kept informed as the situation unfolds. Does this communication take the form of a conference call, a town hall meeting, an internal memo? Companies should select the format that best suits their organization but keep in mind that unfortunately, internal documents can get leaked so having a consistent message across all communication materials is key.
5. External Procedures – Know how and where you will respond to your main external audiences especially those personally impacted by the cyberattack. It’s critical to use an appropriate mix of platforms to communicate with external audiences to ensure that they can access the information easily and quickly. Consider using a mix of shared and owned content including social media posts as well as direct email and mail notices while using your website as a central clearinghouse where people can get more information directly from you. Someone on the crisis team should also be monitoring news sites (including comment sections) as well as social media sites to provide real-time information that incorporates your messaging and any updates to your approach and commitment to correcting the breach.
Your number one goal in any crisis is maintaining trust. The most effective way you can maintain trust is by showing that you care and persistently demonstrating that you still care for as long as the expectation exists from stakeholders. Having a response plan in place ensures that you can quickly express empathy while assuring stakeholders that you are taking actions to safeguard against similar events occurring in the future.
Unfortunately, bad things happen even to good companies, but it’s how you respond that counts. Will you be ready if a cyberattack threatens your business?
Tiffany Miller is executive vice president of R&J Strategic Communications.