A lot of the coverage around the CIPR and CPNI’s Crisis Management for Terrorist Related Events Guide related to the terror attack aspect. As a new angle on crisis communications, it was no surprise that this was the case.
However, the cyber attack side seemed to get less attention. I thought I’d follow up my previous piece with more on this area.
Who is at risk from a cyber attack?
If you are connected to the internet or hold data, you are at risk. Research published by the Department for Digital, Culture, Media and Sport (DCMS) shows that 98% of businesses rely on at least one form of digital communication or online based service from the graphic below:
Potential threats include:
- Phishing scams: hackers attempt to defraud the company from realistic looking emails that request funds or login details
- Data breaches: hackers target important information, such as financial records, files related to intellectual property, data on customers and staff, etc.
- Viruses, spyware or malware: usually installed after clicking a bad link or downloading a corrupted file or piece of software
- Denial of Service (DoS) attack: multiple users or bots target a website with the purpose of making it crash
These risks are relevant both to company equipment and personal devices, with 44% of businesses saying staff used their own equipment for business purposes.
How many businesses experience a cyber attack?
According to the DCMS research, 32% of businesses and 22% of charities were attacked or suffered a data breach in the last 12 months. Nearly half of those businesses said that the attacks occur at least once a month.
The risk increases the bigger the business. For medium-sized businesses (50-249 staff), 60% had suffered an attack. Large organisations (250+ staff) were slightly ahead at 61%. High income charities were more than double the average, with 52% attacked in the last 12 months.
The average cost to a business that has suffered an attack ranges from £4,180 for smaller businesses (10-49 staff) through to £22,700 for the largest. However, these only include direct costs. Lost productivity, reputational damage and potential fines were not covered within the report.
What is the impact of a cyber attack on a company’s reputation?
The major issue for a cyber attack is that the organisation is more likely to be blamed and held accountable if something goes wrong. Media and affected stakeholders will look at the organisation’s processes and ask whether they could have prevented the attack.
Messaging from the organisation must focus on taking responsibility for the issue and explaining how the problem will be solved. An apology is essential, and a summary of the steps being taken to avoid it happening again will be an important step towards rebuilding trust.
There have been many examples of organisations suffering from cyber-related issues. A common thread is the time between when the attack happens and when relevant people are informed. There is a tricky balance for organisations here. They need to move quickly to make their systems secure, but also give their stakeholders a chance to take actions to protect themselves as well.
is there anything communicators can do to help before a crisis occurs?
The DCMS research identified 10 steps for better cyber security. One was user education and awareness. This is something that internal communications can and should support.
This will involve the communications function working closely with IT to ensure that messages are fed through the business in a clear and meaningful way. The aim is making everyone feel that they can play a part in making the systems more secure.
Suggested areas to focus on include:
- Basic awareness training
- Explaining practical ways staff can maintain device and system security
- Sharing examples of best practice and security failures to offer real-world context
- Identifying what they should do in the event of something going wrong or if they see something suspicious