When an adverse event occurs, it’s easy to let emotion take control. Failing to make timely decisions can turn a bad situation worse, but acting on impulse can be just as risky.
Given the high stakes involved, how can you prepare your leaders to operate quickly and prudently when the pressure’s on? What tools can you put in place to help them make smart decisions with limited information? By establishing the proper plans and relationships in advance, you can position your organization to handle a cybercrisis event with control, efficiency and accuracy.
According to Robb Mattila, director of crisis management at U.S. Bank, preparing for cybercrisis is a constant cycle that involves planning, training, exercising and learning.
Having a communications plan is a critical part of cybercrisis management and preparedness. Follow these tips to help you communicate effectively to key stakeholders and the media in the event of a cybercrisis.
In a cyberevent, people like to hear from you quickly. While you’ll never be able to identify every single situation that could happen, you can create templates for the top four or five most likely scenarios. This gives you a starting point that can be customized specific to the event that occurs.
“We know in the absence of any communication, people start to come up with their own stories of what happened,” says Cheryl Leamon, corporate issues management and communications lead at U.S. Bank. “It’s important to acknowledge awareness of the situation and that an organization is addressing it.”
Organizations can get themselves into trouble when they try to communicate too many specifics early on. It’s important to ask yourself:
“If incorrect information is communicated and you have to retract things you said, you lose the trust of your employees and your customers,” says Leamon.
Finding the right balance between under and over communicating can be challenging. A good practice is to include phrases such as: “at this time” and “what we know now.” This implies that information is always evolving and subject to change.
Customer service is crucial to any crisis situation, especially in the event that someone else’s data may be at risk.
“Consistent messaging to all audiences is important when it comes to a crisis,” says Leamon. “Customers, elected officials and media all need to be hearing the same information, otherwise it will cause confusion and make an already tense situation more stressful.”
As a senior leader in your organization, be prepared to make phone calls directly to your clients. Using the established script and adding the details you know about the specific situation will prepare you for this conversation.
Maintaining relationships with local law enforcement is an important part of crisis management. These individuals can advise you on the current threat landscape and will be beneficial to your organization should you need to reach out.
Many organizations also maintain contracts with independent third parties that will provide cyberforensic assistance in the event of a crisis.
In terms of contacting these outside parties in a cyberevent, it’s important to determine who communicates with whom so there’s no overlap or omission.
Once you’ve determined and implemented the steps to your cybercrisis plan, think about other crisis areas that may need to be addressed. Many of the principles practiced in a cybersituation apply to events such as natural disasters or terrorist attacks. Additionally, learn from the shortcomings or successes of other organizations to continuously develop your procedures. With an established crisis plan routinely practiced and improved upon, you can be well prepared to defend yourself and your clients against a threatening event.
Continue to evaluate your cybercrisis practices and determine if you need to create or revise your process. While the tasks we outlined may seem daunting, the benefits of being prepared will far outweigh the challenges you may face if you ever experience a cybercrisis.
Learn more about Cybersecurity: Protecting client data through industry best practices.