Cybersecurity strategy has been an imperative for operations/IT leaders and their communications partners for years, but its importance has been starkly highlighted by this weekend’s cyberattack on JBS Foods. It’s tempting to call this attack on the world’s largest meat processor a wake-up call for companies, but that’s only true for those who have been hitting the snooze button.
For the second time in a month, hackers have impacted the supply chain of a major company. In May, gas customers in the Southeastern U.S. felt the impact of the cyberattack on Colonial Pipeline, which paid a ransom to restore its systems. And now the food supply may see some disruption as JBS works to restore its meat plants in the U.S. and Australia to full production capabilities. In both cases, hackers from inside Russia are suspected, and there is no reason to believe we have seen their last attack.
In addition, given the trend of attacks upon critical supply chains, companies that are part of 16 sectors deemed critical infrastructure by DHS (e.g., food production, energy) will face even more pressure to demonstrate to the federal government that they have precautions in place. Before the Colonial attack, the Biden administration had already launched a sweeping strategic review to address the increased threat of ransomware attacks, which could lead to more requirements being placed upon the private sector
As owners of corporate reputation, we can take immediate steps to assure stakeholders and strengthen enterprise response in a worst-case scenario.
Immediate Stakeholder Expectations
It’s no surprise that customers, employees, investors and news media are asking companies today whether they are prepared for a similar attack. If you wait until there’s an attack to start communicating about your organization’s cybersecurity measures, it is already too late. Smart companies are getting ahead of the discussion by positioning themselves as responsible and savvy protectors of their stakeholders’ data and their own operational integrity.
- Update (or create) your narrative around cybersecurity and business continuity preparedness. Ensure your existing messaging answers the key questions from stakeholders, including:
- How have we prepared (without revealing proprietary information)?
- What is my role in the plan?
- What redundancies have we created to ensure continuity?
- Be cautious with external statements that can be boastful or overpromise. Companies cannot guarantee they won’t become cybersecurity victims, and nuanced language can help avoid baiting hackers to target you.
- ESG (Environmental, Sustainability and Governance) Implications: Consider what about your approach and long-term mitigation can be shared externally. Cybersecurity and a business’s management of risks therein is becoming a critical factor for investors as they prescribe ESG rankings and ratings.
Communications Issues Considerations
The most recent wave of cybercrime is making companies reckon with how they would communicate if their operations were completely shut down, a reality many have not fully contemplated. As if communicating during a ransomware attack was not difficult enough, there is the possibility that a company’s communications channels — email, company cell phone or conference lines, social media channels — could be compromised as well. In these circumstances, companies must consider how they will interact with stakeholders, especially employees, to provide the critical information they need to respond to the situation.
- Companies must be prepared to explain to stakeholders what is happening, how they are handling the situation and when they expect to provide products and services to their customers, among many other concerns.
- Companies must think about how they will communicate to employees about how they need to act during a serious cyber incident.
- Lead with employee communications and ensure plans are in place to ensure employees feel prepared before, during and following a cyber incident.
During any cyberattack, companies must grapple with unknown information (e.g., how much data was exposed), but ransomware and DDoS (distributed denial of service) attacks present vast uncertainties that make messaging even more difficult (e.g., can we get control back, etc.). Moreover, there is the thorny question of paying the ransom, which authorities officially discourage. Instead of asking for exorbitant amounts of money that might be difficult for organizations to even consider paying, in many cases hackers have lowered ransom demands to amounts where organizations need to seriously consider paying to make the problem go away.
- Create scenario-specific messaging that will satisfy stakeholders without providing information that is inaccurate and/or can be contradicted later as new information is disclosed.
- Companies should be prepared with Q&As to address tough inquiries from media and stakeholders, balancing what the company knows with what it doesn’t, especially in regard to ransoms.
Successful responses to cyber incidents require the participation of many factors: cybersecurity consultants, internal IT, legal, operations managers, etc. It is critical that all these parties are working in lockstep and have clear roles and responsibilities, and that communications teams are both receiving and offering insights to inform the enterprise’s overall response. Ketchum has experience interacting seamlessly with integrated teams to prepare for and respond to cyber incidents, including ransomware, providing counsel on how to maintain proper lines of communication and mitigate reputational risk of the organization.
- Now is the time for companies to review or develop crisis communications plans for cyber incidents beyond just data breaches.
- As part of those plans, companies need to consider the many different permutations of ransomware or DDoS attacks and determine their response.
- Media-train CIOs or other key spokespeople for worst-case scenarios.
- Conduct live simulations of cyber incidents to provide practice for internal stakeholders to work together to address serious cyber incidents (which is something Ketchum can help with).
Ketchum’s cross-functional specialists in Issues and Crisis, Executive Advisory and Employee Communications have worked with multiple clients in creating or assessing their pIans and testing them through simulations. If you would like to explore developing, auditing or updating your current cybersecurity comms plans, please get in touch.