Why a Communications Team Cannot Go It Alone in a Cybersecurity Crisis

The case for hiring cybersecurity crisis communications specialists

When an organisation becomes aware of a potential cybersecurity event, their leadership teams are often quick to engage a number of outside advisors within the first 24 hours: their outside counsel who specialises in cybersecurity incident response and breach notification laws; technical experts experienced in remediation, recovery and forensics investigations; and ransom negotiators trained in how to effectively dialogue with various threat actor groups. The engagement of outside experts is with good reason. Cybersecurity incidents, especially ransomware attacks involving severe operational disruption, are unique and nuanced events. They are whole-of-business issues and oftentimes result in class-action lawsuits, regulatory fines, downward pressure on share prices, eroded customer trust and decreased employee engagement. Cybersecurity matters bring significant, multifaceted risk to organisations – operational, financial, legal and reputational. 

So then why do some victim companies wait to engage cybersecurity crisis communications advisors far later in the incident response process, or sometimes not at all?

The short and most logical answer is that cybersecurity crises are simply a lot more common than they used to be – so some victim organisations feel more comfortable “going it alone.” These incidents have gone from being black swan events to normal course disruptions in today’s day and age. And, most companies have templates, various plans in place, and are in fact fairly well resourced when it comes to their internal communications and marketing teams, who are adept at handling the types of crises most synonymous with their respective industries. Another reason victims wait to bring in cybersecurity crisis communications advisors far later in the game is that they do not think they have a “communications issue” until the first media inquiry rolls in.

However, tapping into outside perspective from crisis communications specialists, who are well-versed in the cybersecurity threat landscape and know the rhythm of the incident response process, is key to maintaining stakeholder trust in the short term and protecting reputation over the long term. In-house professionals may see one cyber crisis over the course of their entire career – cyber crisis communicators see one (or more) every day. Most importantly, because cyber-attacks are at an all-time high, organisations are rarely criticised for just having experienced one but they are scrutinised for how they respond to it.

Companies should consider the following points when weighing the decision to hire cybersecurity crisis communications specialists to supplement corporate communications and PR teams.

Cybersecurity events are not your average crisis

One of the hallmarks at the outset of a cybersecurity crisis is the absence of confirmed facts. Facts can change quickly over the course of cybersecurity forensic investigations. Information security teams can expect to be bombarded with questions and demands for answers, such as what was the root cause of the incident, is the incident contained, when will systems be back up and services operational again, and whose and what data is involved? Stakeholders today have higher expectations of companies when it comes to communications about these incidents – they demand transparent, immediate and frequent communications from organisations. The challenge is cybersecurity incidents and investigations are fluid situations and many, if not all, of these answers will not be available right away. As a result, some of the common principles of “crisis communications 101” do not necessarily apply to cybersecurity incident response. For example, whereas “radical transparency” is a common hallmark of crisis communications, in cybersecurity matters, the early bird does not necessarily catch the worm. Rushing to communicate everything a company knows – or thinks it knows – in a cybersecurity matter can create more risk for an organisation if unconfirmed or speculative information is communicated in the interest of urgency. This includes attempting to quickly communicate speculative information about the scope of the incident and the data that may or may not be affected. Cybersecurity crisis communications advisors can help internal communications teams navigate the tricky balancing act between transparency and risk, and help companies avoid common pitfalls of communicating information they may have to retract later.

There is an immediate need for communications

Because of the operational disruption that often results in cybersecurity incidents, there is frequently an immediate communications imperative that the victim organisation must confront. Customers and staff are likely going to notice the disruption that encryption or disconnected services may cause – for example, an inability to ship products, provide services or pay employees. It is important to work with communications professionals who can quickly help victim companies establish a “single source of truth” that enables the organisation to set the narrative around what happened and what workarounds are in place to facilitate business continuity. Stakeholders such as customers, partners, employees, vendors and regulators need to hear confirmed information directly from the company – and the message needs to be consistent across those groups and most importantly, it needs to be accurate.

Communications and legal teams must be in lockstep

There is an age-old misconception that communications and legal teams are often on opposite ends of the spectrum. But when it comes to cybersecurity incident response, communications and legal teams must be in lockstep from the jump. And, importantly, this equation includes outside cyber counsel. In cybersecurity matters, it is essential that legal and communications strategies are aligned, and communications teams are not inadvertently using messaging that could create additional legal risk. Additionally, it is important that companies are working with partners who understand the regulatory aspects of these incidents and can anticipate the public exposure that comes with certain regulatory disclosures, such as substitute notice and state attorneys general notifications. It is also crucial to engage communications partners who understand how to work with, and at the direction of, outside counsel. This helps to protect legal privilege over communications work product, which is often traded back and forth between client-advisor teams and heavily edited and evolved as the incident unfolds.

Cybersecurity trade media are a unique breed

Cybersecurity trade publications, bloggers and security researchers tend to dominate when it comes to breaking news about an unfolding incident. But, they do not always operate like typical journalists. Cybersecurity media routinely monitor the dark web and sometimes have direct lines of communication to threat actor groups. Additionally, these reporters often double as technical experts and are viewed by other media as credible sources of information. When it comes to that first piece of coverage in a cybersecurity trade publication, getting it right is critical; local and national media frequently take their cues from the cybersecurity trades about a new incident. This is why it is important to engage communications specialists who have longstanding relationships with cyber journalists, know what to anticipate from them, and can help balance the public narrative from the outset of an incident.

Highly technical concepts need to be translated for a general audience

While information security teams understand the ins and outs of a cyber-attack and the technical aspects of remediation and recovery processes, most of the general public does not. According to recent research from FTI Consulting’s Cybersecurity & Data Privacy Communications practice, CISO Redefined: Navigating C-Suite Perceptions & Expectations, during a cybersecurity event, the majority of C-suite executives surveyed believe their Chief Information Security Officers (CISOs) are not completely prepared to communicate with the most important internal and external stakeholders. Translating highly technical concepts into clear, digestible and actionable information for non-technical audiences like customers, employees or media is critical during a cybersecurity matter. Enter cybersecurity communications experts, who liaise between information security professionals, legal teams and communications teams every day – they understand different acronyms, tools and technologies that are associated with various attacks and threat actor groups. Ultimately, this helps to ensure important information makes its way into an effective and clear organisational response. 

Corporate communications/PR teams will be stretched

Initial communications at the outset of an incident are only the beginning. Once informed of a potential incident, questions and responses will be flooding in from stakeholders – such as requests for detailed security questionnaires, third-party attestations and one-on-one calls with information security teams. This means the company needs to maintain a centralised process for managing the inbound questions and again, ensuring consistent responses are going out. Such a process often requires having sufficient communications infrastructure to triage hundreds if not thousands of inquiries – a luxury that not all companies have the staff or resources to support. External communications experts in this space can help to establish, implement and support this triage infrastructure through tried-and-true crisis management techniques. Without a centralised “command centre” that equips the company to be responsive, accurate and consistent – other voices will fill the void, and rumours and speculation about the incident can run rampant.

Traditional communications channels may not be an option

It is often the case that companies’ preferred communications modes are not available when they are actively responding to a cyber-attack – email, corporate websites and intranet sites are regularly disrupted by ransomware attacks or containment efforts. Organisations may need to quickly identify and employ a range of back-up or alternative communications vehicles that deliver urgent updates to key stakeholders about downtime procedures. Cybersecurity crisis communications professionals who are well-versed in off-network communications solutions can assist teams with identifying and implementing out-of-band solutions, such as text-based emergency notification systems and “dark” sites.

Threat actors can be worthy PR adversaries

At the end of the day, most cyber-attacks are financially motivated and focus on eliciting maximum pain to an organisation in order to extort payment. As such, threat actors are continuing to become increasingly aggressive and sophisticated in their extortion tactics. In addition to the common tactics such as “naming and shaming” their victims by posting exfiltrated data on leak sites, threat actors are also reaching out directly to employees and executives, giving interviews to the media, outing companies to regulators such as the Securities and Exchange Commission (SEC) and even mailing packages to executives’ homes. These extortion tactics can lead to additional internal panic and external attention, including media stories and questions from customers and staff. As a result, companies need to be prepared with effective communications and messaging strategies to respond to these scenarios accordingly. Cybersecurity communications consultants know the various threat actor groups’ playbooks and can help organisations to peer around corners and properly plan for a likely escalation. 

Incident response communication is not for the faint of heart

Incident response is a long game. Recovery, forensics investigations and data mining are not overnight processes – they often take weeks to months. What is more, in the immediate aftermath of recovery from a cybersecurity incident, additional time will be needed to complete legal notification efforts and respond to potential, ensuing litigation. Organisations used to managing crises that are mere moments in time are in for a wake-up call during a cybersecurity crisis. Cybersecurity crisis communications specialists are accustomed to the long game of incident response and can help corporate communications teams predict key milestones and, importantly, relieve the communications fatigue that inevitably accompanies incident response.

Experience matters

Companies who respond to cyber-attacks frequently rely upon cybersecurity legal and forensics experts who have gathered deep experience working hundreds of incident response matters. The muscle memory these experts gain from managing incident after incident cannot be overstated. The same principle applies to cybersecurity crisis communications. While no two incidents are exactly the same, the communications lessons learnt and best practices gleaned from working full time on these particular types of crises are extremely valuable to organisational victims. Of course, an organisation’s own communications team understands the company’s voice, corporate culture and stakeholders’ needs best. But in a cybersecurity crisis, supplementing that institutional knowledge with expertise in highly nuanced cybersecurity and incident response communications can be extraordinarily beneficial.

Conclusion

When it comes to cybersecurity attacks, no organisation should go it alone. An effective and efficient response requires co-ordinated action between partners, including external legal counsel, forensics firms, crisis communications experts, call centres, mailing houses and more.

Communications decision-making is heightened and accelerated during cybersecurity events, so searching for a communications partner during an active cybersecurity crisis is not ideal. Establishing a relationship with cybersecurity crisis communications specialists in advance of an incident will help ensure the outside crisis communications team can familiarise itself with a company’s existing incident response and communications protocols, understand the different roles and responsibilities of members of the incident response team, and develop chemistry with internal communications and legal teams before the alarm bell rings. Working with communications consultants to develop a well-tested communications plan – one that considers the above ten points – can be the difference in maintaining or losing stakeholder trust and therefore, revenue.

Incident response communications expertise in a cybersecurity crisis can no longer be viewed as an afterthought; it is a must-have, right now.