Emerging threats and an ever-changing media landscape have made it critical to prepare for an emergency. From a drastic increase in cyberattacks since the pandemic began to ongoing scandals proliferated through Twitter, crisis planning is more critical today than it’s ever been.
Cybersecurity Risks In 2020
According to Risk Based Security’s “2019 Year End Report,” last year saw the highest number of data breaches ever, with more than 15 billion records exposed. That’s a 284% increase over the exposed records reported in 2018. And this year has been worse. In just the first quarter of the year, there were over 445 million cyberattacks, according to “Arkose Labs Q2 2020 Fraud and Abuse Report.”
Unfortunately, there has also been a substantial increase in Covid-19-related attacks, with targets being unemployment, stimulus payments and the Paycheck Protection Program (PPP). Because attackers knew the day and time deposits would be made, according to Al Pascual, chief operating officer of Breach Clarity, there was an 80% increase in account-takeover attempts.
Furthermore, the surge in remote work arrangements, which increased the number of insecure networks, has also created a spike in cyberattacks.
Cyberattacks Cause Massive Financial And Reputational Damage
Cyberattacks and data breaches are costly. Data from the 2019 “Cost of a Data Breach Report” from the Ponemon Institute and IBM Security found that malicious or criminal attacks, system glitches and human errors are the leading causes of a breach. The same study found that the average cost of a breach in 2019 was $3.92 million. For small organizations, a breach can be devastating.
An organization’s reputation is also at risk after a cyberattack or breach. According to the “2018 Consumer Survey: Attitudes and Behavior in a Post-Breach Era” report by Ping Identity, which surveyed 3,000 people, if a company had a breach, 78% would no longer engage with the company online, and more than one-third would stop engaging altogether.
Brands Must Be Prepared For Crisis
If a cybersecurity crisis does occur, your company must be prepared, starting with a deliberate, strategic plan. Unfortunately, I find that most organizations lack crisis preparedness and careful planning, and instead react to the emergency.
Effective crisis planning is crucial. At the onset of a crisis, organizations must quickly develop a solid plan of action by thoroughly evaluating the crisis and determining necessary communication. Working alongside legal counsel, organizations should assess potential risks as well as develop a media plan to control the dialogue.
Organizations must also be up to speed on the tactics used by fraudsters. If you’re not already, you should be actively discussing things like malware, hacking, ransomware, phishing, internal threat actors, etc. While a crisis can never be completely anticipated, organizations can and should have protocols in place in the event of such threats.
When preparing communication, organizations should start with a comprehensive message framework and determine an appropriate response plan, along with internal and external communication. But even the very best crisis plan can fall flat if communication is delivered poorly. By facilitating press training, organizational leaders will be better prepared and more comfortable to address hard-hitting questions while also providing necessary updates with a sincere, empathic tone.
If a cybersecurity incident results in a complete data breach, organizations must be aware of the various state and federal laws governing data breach notification requirements. While complete details will be unknown until a cybersecurity crisis occurs, organizations can prepare external communication ahead of time and enter specifics immediately following the crisis.
If no breach resulted from the cybersecurity incident, organizations should monitor the situation closely to determine if external communication will be needed. If the public is aware, you must address it. But you don’t want to create a crisis by unnecessarily disclosing details if the incident did not result in any loss of data or information.
Regardless of the severity, organizations must immediately alert employees of the situation, detailing what occurred and what must happen to prevent it in the future. For instance, if an organization experiences a phishing attack, where a fraudster sends employees emails appearing to be from trusted sources with the goal of gaining information or money, employees must be quickly alerted.
Organizations must also include protocols for handling such emails and advise employees to, for example, not click on unfamiliar links or download malware. This may seem like common sense to many of us, but remember, data breaches caused by human error are the most common.
As for dealing with media inquiries, organizations should limit spokespersons. Ideally, one person should handle interviews and it should be someone at the top, like a CEO or president. But given the high-tech nature of cybersecurity, your technology or IT executive may need to participate as well to help answer questions.
A crisis can leave a long-lasting impact on an organization’s brand; therefore, brand repair may be necessary. Through traditional public relations, leaders should build a strategic plan to emphasize positive news and maintain a strong brand or repair it from potential damage.
A crisis is inevitable. Handling it poorly can destroy a brand, making crisis communication planning critical. You must be prepared.