Crisis communication in the event of a cyber attack

Step 1: Risk Analysis

Identify and describe what cyber attacks your business or organization could be a victim of and what that would mean for service or production continuity. The most common attacks are:

• A ransomware attack

Ransomware is a virus that is installed on a device without the owner's consent. The ransom virus takes the device and files hostage (in an encrypted manner) and demands a ransom.

• A DDoS attack

With a DDoS (Distributed Denial-Of-Service) attack, criminals try to take down a web server by overloading it with a very large number of page requests. A DDoS attack in itself is not a danger and will pass, but often such an attack is used to hide another attack or as an additional means of pressure, e.g. in a ransomware attack.

• A virus on the network
• Scams, e.g. through CEO fraud
• A data breach, violation of GDPR legislation, etc.

Review your company or organization's crisis plan or cyber security incident management plan. Check if crisis communication is included in this, and in what way. Ensure that it contains, as a minimum, the following elements:

•     A contact list for support (on paper): who we can call on during an incident

•     A contact list of employees, stakeholders, partners and press (on paper): who we should inform about the incident
•     An overview of the communication channels that can be used during a cyber attack (so including offline channels).
•     An overview of key messages: for some common cyber attacks, a short message can be prepared in advance.
•     A division of labour, listing the different roles in a cyber incident and the tasks associated with each role.

Every company or organization should practice a cyber incident at least once.  Be sure to involve the communications department or communications officer in this exercise.

Good communication during an incident is crucial to avoid time being wasted and to limit reputational damage.

Respect the following order of communication:

1. Employees
2. Stakeholders
3. Partners
4. Customers
5. Press

Once you communicate to employees, you should also inform the other parties as soon as possible.  After all, it is an illusion to think that employees will treat information confidentially. In other words, the information will leak quickly to the outside world.

If personal data may have been stolen or leaked, the data protection authority should be contacted.

Define the messages:

• Consider communicate proactively.  Even before the incident "leaks out" you can communicate about it. This principle is called "stealing thunder".  You deliver the (bad) news yourself before the press flies in and construct their own story. By communicating proactively, you are most likely to be able to keep control of the communication.
• Make an immediate hold message. Communicate the following elements:
  • We know: we know what happened.
  • We do: we are now working on the following issues; we are working on a solution.
  • We care: we take this very seriously; we are empathetic.
  • We are sorry: we regret the incident; we apologize.
  • We'll be back: we say when we will release more info.
• Define the key messages
  • What happened?
  • How did this happen?
  • Who was responsible for this?
  • What are the implications? For employees, customers, partners etc.
  • What are we doing to repair the damage? What solutions do we have?
  • What are we doing to prevent this from happening in the future?

Set the tone:

• Apologize if there are victims or if a mistake was made.
• Don't get defensive, but do show what your organization did to avoid this or has done to resolve this quickly.
• You should not be ashamed; you are a victim of criminals and this can happen to anyone.
• Don't respond aggressively to accusatory questions; rather point out "lessons learned".
• Avoid making no comment: not responding to questions is a message in itself, which is often interpreted as "they must have made a mistake" or "they certainly have something to hide".

Choose a spokesperson. Advice for spokespersons:

• Show empathy.
• Don't lie.
• Be transparent.
• Anticipate and practice difficult questions.
• Use bridges to keep returning to the core message.
• Be clear and concise.
• Avoid technical (cyber) jargon.

Potential pitfalls

• In the event of a cyber attack, the main channels of communication may be unavailable: intranet, email, website.  Think in advance about alternative channels to reach different audiences.
• If a legal investigation has begun into the cyber attack, you may need to be very careful with information.  But don't let this be an excuse for not communicating or not communicating transparently.
• Attribution of a cyber attack: be careful about assigning a possible perpetrator of the attack. In a cyber attack, this is always very difficult to determine.