With more than 150 countries and hundreds of thousands of computers affected by the WannaCry ransomware attack, according to news reports, some analysts think it was the “big one” we’ve been anticipating. But many other experts believe the events of the past several days are harbingers of bigger and more damaging attacks to come.
The disruption and uncertainty caused by the global cyberattack is reason for all communicators to consider and prepare for the eventuality of a similar attack hitting their organization. The number of companies affected by the WannaCry ransomware minimized the unique reputation risk for each company affected. However, companies that fail to heed this warning may not be as lucky next time. Additionally, corporate boards of directors and C-suites are increasingly being held accountable for failures to anticipate and plan for cyber incidents.
The attacks resulted in massive operational disruptions – manufacturing lines coming to a halt, hospitals turning patients away, services slowing to a crawl – which prompted the need to communicate immediately with employees, customers and business partners. These communications were further complicated by network systems being down or inaccessible, which led many companies to resort to text messages and phone trees. Preparing to communicate in this environment requires advance planning, and senior management needs to be engaged and demonstrating leadership throughout the planning process. Beyond information security best practices (patch your systems regularly, don’t click on unknown links, routinely back up your files, etc.), consider some action steps on the communications front to boost your organization’s cyber resilience:
- Think beyond the data breach. As the cyber threat landscape expands beyond data breaches to include more denial of service and ransomware attacks intended to cripple companies and government institutions, consider the communications implications of these kinds of attacks. Communicators need to be prepared to operate without access to network systems – in some cases for a prolonged period. This means having hard-copy printouts of contact lists and alternate access to your crisis communications plans to help ensure you can continue to communicate with employees and other stakeholders in a systems-down environment.
- Better together. Preparing for a cyber incident is not the sole responsibility of information security teams. IT departments should proactively protect systems and monitor threats, but if the system is breached or attacked, it’s all hands on deck. Legal, information security, corporate security, communications, government relations, business continuity, HR and other relevant functions must work in sync to respond to the cyber incident, reassure stakeholders and mitigate damages. Having a plan in place that outlines how the various functions should interact and coordinate is essential to deploying an effective response.
- Establish a chain of command. Ensure that board members understand how the organization is prepared to respond to a cyberattack. Assign decision-making authority and ensure approval processes are clearly communicated and in place. This will eliminate confusion and help your organization immediately respond to and mitigate issues that may arise.
- To pay or not to pay. Ransomware presents a substantial challenge to companies. While law enforcement officials usually warn companies not to pay the ransom as doing so may invite future attacks (true), some companies ultimately determine they cannot function without access to the systems/data that have been encrypted. Discussing this scenario in advance of an attack and establishing the determining factors that would prompt the company to seriously consider paying a ransom helps expedite the decision-making required in the heat of the moment.
- Foster relationships with third parties. Build rapport and establish trust with law enforcement agencies such as the police and FBI as well as the appropriate government bodies, NGOs and elected officials before an incident occurs. This affords peace of mind, promotes information sharing and, in the event of an attack, facilitates collaboration and incident resolution.
- Practice responding to mock attacks. Preparedness is crucial. At least once each year (and preferably more frequently), ensure your organization is ready to respond to cyber incidents through spokesperson training and desktop and full-scale simulation exercises and drills.
In today’s world, the likelihood of experiencing a cyber incident is higher than ever. Companies and organizations need to take precautions to prevent an incident from occurring, but also expect that an attack is inevitable. Having systems and processes in place to respond to and recover quickly from an attack builds cyber resilience and mitigates reputation risk. Cyber attacks themselves are not necessarily the crisis; the real crisis is when a company’s response to the attack is poor or indicative of a lack of preparation.
For more information about Burson-Marsteller’s cyber security communications services, please contact Managing Director and Cybersecurity Specialty Team Lead Sarah Tyre at Sarah.Tyre@bm.com