The threat of cyber-crime has become a reality for a rising number of businesses around the world–either as a primary target or collateral damage. Being prepared to handle these situations is mandatory for all organizations today, and proper preparation includes not only IT, legal and data protection teams, but also the communications leaders and teams responsible for your organization’s reputation.
Here are 5 questions to prepare yourself and your organization for a cyber threat…
Question 1: Will I still be able to access my digital communication infrastructure in the midst of a cyber-attack?
Who to ask: The CIO
When under digital attack, organizations usually go into full (or at least partial) electronic lock-down—where all systems are switched off while the situation is being resolved. That means you could potentially lose access to all the shiny fast tools you would usually have at your disposal during a crisis to inform employees, stakeholders and the public. Imagine steering through a crisis without access to your media contact database, intranet, website, social channels–or even corporate e-mail address. Even if your organization is not an attractive target like hospitals (where a ransomware attacker can encrypt all medical and personal data, then sell the key back to you for a hefty ransom), governmental institutions (for virus/spyware attacks), or hotels and airlines (for DoS <denial-of-service> or a bot-net attack) you still might be in the line of fire as collateral damage from a cyber-attack directed at one of your clients or partners; the effects are largely the same. The key here is infrastructure. Ask yourself, does comms have access to an alternative digital ecosystem?
Question 2: Will I be immediately informed of any GDPR breaches or data leaks that can threaten the reputation of my organization?
Who to ask: Legal; GDPR Counsel
With digital transformation progressing fast, new risks arise: Digital customer data, passwords and digital IDs might get stolen or accidentally published on the Internet. Malicious software has the potential to create havoc, cutting off thousands or even millions of customers from cell phone services, Internet access, boarding passes, or cashing in double from customer credit cards. Customers (and employees) will want to know what is happening and they will ask – some of them publicly on social media, which can eventually end in a wave negative media coverage and irreparable damage to brand reputation. Communicators need to be included from minute one to prepare a proper response to stakeholders.
Question 3: Will I be able to quickly explain any digital breakdowns to not so tech-savvy stakeholders?
Who to ask: The CIO; Product Owners
More and more businesses rely on an uninterrupted flow of digital services to customers. However, those services fail from time to time and stakeholders need to be informed and educated in a timely manner. Timely in connected markets means you need to ask yourself: Do I have tech knowledge to understand what is going on and explain it to non-technologically savvy stakeholders fast? To prepare, I suggest scheduling regular 1:1’s with your tech staff and key vendors to learn their vernacular and understand what they do – so you can better explain those processes to third parties when the time comes.
Question 4: Are we prepared for a digital high-speed attack on our financial reputation?
Who to ask: The CFO
In a hyper-connected, data-hungry global financial system, fraudulent data can have a tremendous impact within minutes. There have been cases where criminal minds have set up a completely fake digital universe to give the impression that a business is in troubled waters (e.g. CEO is being fired/arrested or that a prominent financial analyst has downgraded shares), all just to cash in on a dropping share price. Even if the truth comes out within hours, the initial damage is usually done within the first few minutes. So, upon discovery of any such cases, organizations need to react without delay and have approval lines that allow for a lightning-fast response both inside and outside of the organization.
Question 5: Is our staff aware of social engineering and high-profile scams?
Who to ask: The C-Suite; HR
Cyber criminals are known to employ creative methods when it comes to gaining access to the digital infrastructure of a business; social engineering is one of the most dangerous means. Here, simple day-to-day business transactions are hijacked by criminals, making it harder for staffers to be on alert—particularly when the criminals start by building a relationship before they strike (example: at first glance a regular-looking job applicant disguised as a human Trojan horse). Naturally, when some data or documents are missing within an application, HR reaches out to the candidate via e-mail. But in this case, the reply comes with a document download link that leads to spyware. These attacks could also come in the form of someone posing as a potential business partner, or even your internal IT department calling executives on their personal mobile to “update” their software. For comms leaders, this means you are responsible for helping IT security leaders raise awareness throughout the full organization and constantly remind and educate staff about these digital threats. Think of it as first-responder training during a fire drill: Here’s how to detect social engineering and how to react immediately if you’re caught off guard.
Bonus Question: Is my team trained for a Cyber-Crisis?
Who to ask: Yourself
With all the above being a reality today, ask yourself, how well are you prepared? Does your team know what to do… where to begin? While you can’t design a bespoke crisis response plan for every digital threat, here are two things you can start doing today:
1. Raise awareness by training leaders and employees on how to identify potential threats.
2. Prepare for the inevitable by developing a comms plan within your organization that allows you to quickly react and respond to stakeholders and the general public in the event of any digital threat.