the word security on a computer screen with the pointer hovering over it as if it will click it cyberattacks

When, not if – the growing threat of cyberattacks

Cyberattacks – a term to scare even the most sophisticated businesses and organisations.

In the first half of 2022, 236.1 million ransomware attacks were reported worldwide, according to Verizon’s DBR report. Globally, the UK had the highest number of cybercrime victims per million internet users at 4,783 in November 2022 – up 40%.

Unfortunately, it is now a case of when and not if a business becomes the victim of a successful attack. Just last week, T-Mobile and Mailchimp admitted they were the victims of separate data breaches and recently Royal Mail and the Guardian also fell victim to attacks.

While IT experts and specialist cyber lawyers can be important support post an attack, it is also crucial to have the correct communications strategy.

A tone-deaf and poorly handled response to an incident can lead to significant reputational damage and further harm relationships with key stakeholders, so it’s essential that businesses get it right at the first time of asking. Unfortunately, some have fallen short and found out the hard way about the long-lasting negative impact beyond the initial incident.

So, what should companies be thinking about in the event of an attack?

Do not panic

Scattergun communications usually creates more problems. It’s crucial to analyse the incident, speak with legal counsel and IT before moving with a proactive communications approach.

A common issue we see are businesses making the world aware they are victims of an attack without having any additional or helpful information to share. This will almost certainly create unnecessary pressure on internal teams handling incoming enquiries from angry and worried stakeholders as well as persistent media. It will only exacerbate an already tense situation.

There are some situations where the complexities of an investigation simply mean it takes time to gather the necessary information. Communications are not one-size fits all and strategy may differ on a case-by-case basis. What doesn’t change is communicating appropriately when a plan is in place and the time is right.

Address the issue

The worst thing a business can do is pretend that nothing is happening. The legal and reputational risks are too severe to bury your head in the sand. You only get one first impression when communicating so best to not be on the back foot and unprepared to deal with the impending crisis – because it will be here before you know it if the situation is not managed effectively. Accept responsibility, work to address the problem and communicate with stakeholders effectively.

Be sincere, be human

Data breach communications are not just a box ticking exercise to complete your legal and regulatory obligations. Think about the victims. There are humans on the other end of the communication who will be panicked and scared. Empathy and patience is key.

Control the narrative

The attack meant you were not in control, but you must show you have regained control as swiftly as possible. Retaining the faith of key stakeholders throughout the incident is vital. If clients have been affected in any way you must communicate with authority and confidence. If businesses look to have lost control of the situation, it will only increase the risk of clients cutting ties and data subjects moving to get their legal ducks in a row.

Be clear and concise

Cybersecurity is an incredibly technical and complex world. Your everyday person might not know what terms such as encryption, ransomware and threat actor mean. Ensure your communication is accessible and digestible. Anything complex can lead to more questions and increase stakeholder frustrations. Sum up the situation in a message that is easy to understand so there is little room for stakeholders and the press to feel misinformed.

Preparation is key

The shock of a cyber incident can wrongfoot any business, but the right preparation can ensure you have a swift and effective communications response. An audit of your existing cyber crisis protocols can reveal any shortcomings or highlight any additional content or training that is required. Regular reviews and updates will give you reassurance that when the worst happens you have prepared and can begin the recovery with strong and planned communications.