News and Insights
There Will Always Be New Ways for the Bad Guys To Do Bad Things
December 19, 2024
Protecting Your Company’s Reputation During a Cyber Attack
The Rising Threat of Cyber Incidents
I recently had the privilege of participating in an insightful webinar hosted by PRovoke Media on how companies can safeguard their reputations when faced with a cybersecurity incident. I was joined by two distinguished experts in the field – Richard Hummel, Director of Threat Intelligence at NetScout, and Kevin Curran, Professor of Cyber Security at Ulster University.
Having worked in tech PR for more than 20 years I’ve seen plenty of cyber crises play out – and these attacks are unfortunately becoming more frequent and sophisticated. Beyond the technical damage they can inflict on a company’s systems and data, a breach can cause severe harm to its carefully built reputation and customer trust. The financial costs and legal ramifications can also be significant. That’s why it’s absolutely critical to have a well-planned crisis communications strategy as an integral part of your cybersecurity incident response program.
The Importance of Timely and Transparent Communication
During the webinar, I emphasized that timely, transparent and empathetic communication is essential before, during and after a cyber incident. Organizations need to quickly acknowledge the situation and take clear responsibility rather than downplaying the severity or impact. Delayed or vague responses will only cause further mistrust and skepticism.
Whilst it’s important to act fast, accuracy and restraint are also key. Provide the concrete facts you have available but avoid speculation or overpromising. Make it very clear that more details will be shared as the investigation progresses. Having a pre-established and often-rehearsed crisis communications plan – with protocols and a designated response team ready to execute it – can make all the difference in responding quickly and effectively under pressure.
Unique Challenges of Cyber Incident Communication
Compared to other corporate crises, cyber incidents have some unique challenges from a communications perspective. There may be legal restrictions imposed on the company regarding when it can publicly announce a breach, or what it can say. Breaches often involve individuals’ sensitive personal data like financial or health information, which understandably causes greater fear and even panic. Many people find the technical complexity of cybersecurity daunting, so there’s often a disconnect between the nitty-gritty details of an incident and how much concerned stakeholders need to know. Bridging that gap requires close collaboration between the security team and corporate communications to strike the right balance.
Three Pillars of Effective Crisis Communication
When communicating about a cyber incident, I advise companies to focus their messaging on demonstrating three key things: accountability, action and empathy. Taking full responsibility for the situation, providing specific examples of how security is being improved, and authentically expressing that you understand the real-world impact and frustrations for customers can significantly help restore broken trust. Provide real, tactical protection responses – explained in clear terms – and never blame the victim under any circumstances.
Learning from Real-World Examples
A prime example of this is Uber’s remarkable turnaround from badly mishandling a data breach in 2016 to establishing industry-leading security practices and transparency under the leadership of its new CEO. In contrast, 23andMe’s tone-deaf and finger-pointing response last year implied that users were at fault, which generated swift backlash and condemnation. Uber showed the power of rebuilding confidence through highly visible security improvements and sincere long-term commitments. 23andMe, which became the subject of an expose by The Guardian, suggested that customers had re-used passwords and that “the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”
Internally, it’s just as important to inform and engage employees early and often during an incident. They are not only vital stakeholders but potential brand ambassadors. Arm them with crystal clear instructions, empower them to communicate appropriately with customers if needed, and ensure executives lead by consistent example in alignment with external messages. You can’t afford mixed signals.
Looking ahead, I expect the volume and sophistication of cyber threats will only continue to grow and evolve, so companies of all sizes must stay relentlessly vigilant and agile. Whilst no organization can ever be 100% immune to an attack, continuously updating your security posture, having robust response plans in place, and taking rapid, radically transparent action if an incident does occur is the best defense for both your systems and your hard-earned reputation.
Conclusion: Turning Challenges into Opportunities
The threat of a major cyber attack is understandably daunting for any company. But with the right strategic preparation, mindset and expert partners, you can competently navigate an incident, protect the trust and loyalty of your stakeholders and even come out stronger on the other side.
POSTED BY: Flora Haslam
