Right now, it seems a month barely goes by without a big cyber attack story making the headlines.
Reading through the statements from the companies affected, I find myself asking: “what are you doing to remedy the situation? How are you helping impacted customers?” Or even “what do you mean there ‘may have been’ an attack?” Let’s face it: the disclosures from these organisations leave much to be desired.
It’s fair to note that cyber attacks can be very complex to investigate fully. But customers today demand quick and transparent information when something like this happens.
Unfortunately, many companies fall short of this expectation, particularly when it comes to taking control of the media narrative, as well as restoring customers’ confidence in their brand. And the consequences of bad communication lead to anything from straining customer relationships to poor financial performance following an attack.
What are companies doing wrong?
In the UK, 15% more companies had to deal with ransomware attacks in 2022 when compared to 2021. Cyber attacks are on the rise, yet crisis comms pros have not entirely caught up.
When you think back to some of the high-profile cyber attacks that took place, how many news stories had vague, minimal information, and delayed responses from attacked organisations? Sadly, there are many.
For instance, when a major UK national logistics provider announced the organisation was experiencing a ‘cyber incident’, their statement did not detail the consequences, or what was being done to mitigate them.
Being selective with information provided may give the impression an organisation is withholding details and may unwittingly lead to inaccurate and harmful speculation regarding the incident. In the social media age, this is a very risky strategy. It also gives journalists room to launch their own investigation about an incident, or go to other sources for further information.
That is what happened in this case, when a week later news broke that a Russian-backed group was behind the ransomware attack after all. And can you guess? It was “reliable sources” other than the attacked organisation who were referenced.
A clearer communication strategy could have helped shift public sentiment favourably.
What does a change of approach look like?
A major sports fashion retailer was also subject to a data breach recently. However, they took a different tack that resulted in a very different outcome.
The company released detailed statements to both investors and individual customers about the situation and what it was doing to mitigate the damage. The statement further detailed the number of customers impacted, the type of attack, who was at risk and what data has been breached. Crucially, for customers it provided practical steps they could take to safeguard their accounts and personal information.
This type of disclosure provides journalists with the accurate information needed to report on the story and gives the company a clear path to moving the agenda forward. Also, attributing the apology to a CFO rather than giving a general apology made the statement more personal and shows accountability.
Interestingly, four days later, the retailer announced it was planning to open hundreds of new stores in the next five years. Despite the cyber incident the sports fashion house saw share prices rise 11% following this announcement! The straightforward communications response strategy meant the cyber security story did not escalate and overshadow its flagship announcement.
Where does that leave PR professionals?
PR pros have to be proactive in developing cyber crisis communication strategies. We need to work more closely with IT and leadership teams for the best outcomes, as these attacks are complex and information evolves rapidly.
As PR professionals, we have to act as strategic advisors to business leaders. There are legitimate and regulatory reasons for companies not divulging too much information too quickly. Cybersecurity threats are not only changing how organisations protect themselves, but they are also changing what is demanded of their PR teams when something goes wrong.
It’s time every comms professional, regardless of industry, understands the complex cybersecurity landscape to get this right.