Cybersecurity experts are clear about one thing: for every organisation, it’s a case of when, and not if, its software systems will get hacked. Examples of this principle in action are reported every day: regard, if you will, the very public exposure of 5,000 customers’ bank account details after Transport for London’s systems were breached, or the fate of genetic testing giant 23andMe, forced to fess up to the loss of reams of sensitive health data. And we mustn’t forget the 43% of cyberattacks targeting SMEs, most of which go unreported by the mainstream media.
All of these breaches are small disasters for the businesses affected. In the worst cases, the ransom of sensitive user data not only alienates those individuals directly impacted but also trashes an organisation’s reputation for competence among future customers. Regulators, too, will look askance, imposing fines and singling out said business as an example of how not to secure one’s systems against threat actors.
This is why planning for a cyberattack is essential – not only to prevent one from happening in the first place but also to determine what actions need to be taken to master the narrative surrounding such a breach in the hours and days after its occurrence.
This is always easier said than done. In the aftermath of a cyberattack, multiple departments are placed under unprecedented pressure, from the IT team struggling to repair the company’s defences to the PR professionals scrambling to explain the incident without causing customers to panic. The success or failure of their work can mean the difference between a successful reconstruction of a corporate reputation or regulatory ire and a tanking share price. What, then, is the right way to respond to such a disaster?
First and foremost, be prepared
Uncertainty, panic and fear are understandable emotional responses to a cyberattack – and ones that, ideally, should be dampened by thorough post-incident planning, argues Discernible Inc.’s Melanie Ensign. The CEO and founder of the security and privacy communications firm says that in her experience, which has seen her deal with almost every type of security incident “ten times over,” organisations that build robust interdepartmental lines of communication inevitably fare better after a cyberattack.
“It’s important [that] chief security officers build their influence inside the company so that when an incident happens, they have political capital in what is said externally, and they’re not just getting bulldozed by the legal team or the PR team,” says Ensign. “You can tell when a security expert has been involved in how a company responds compared to when it was just written by lawyers.”
More concretely, organisations need a plan for who will make decisions when the worst happens. “From a communications perspective, businesses should consider what tasks need to be done and what decisions need to be made during an incident,” explains Ensign. “If you’re going to argue about it as a company, do it before it happens, because when it does, you need to move quickly.”
On a practical level, organisations can use things like a RACI chart, a table used by project managers to ensure clear communication and smooth workflows, to outline who needs to do what and who needs to sign off on what.
Former armed forces veteran and founder of Digility Ltd, Tom Burton, has also helped both large and small companies prepare for and respond to cyberattacks. Part of the preparation he recommends is running attack simulation exercises so companies understand better what it’s like to experience a cyber-attack. He recently ran one for a high street bank that involved its entire board.
“The simulation happens in almost real-time, hitting organisations with the realities of such a scenario and seeing how they will respond, and then after each phase of it, we go over the response and identify how they could have acted better,” he explains.
Be honest and be empathetic
Organisations can’t promise security incidents will never happen again, but they can be sympathetic, open and honest, and reassure clients they will do everything to minimize the impact when they do – and crucially not leave customers stranded, argues Ensign.
“We recommend that clients be a partner for the people who are impacted by these incidents,” she says. “The organisation needs to develop muscle memory for how it expresses empathy for those affected – because the organisation is just one victim,”
Again, this should also be decided upon beforehand, says Ensign, so everyone is on the same page before a statement even gets drafted.
One company that got this right is the security firm RSA, which fell victim to a state-sponsored hack designed to compromise the US defence industry, notes Burton. “RSA handled it very well because it was open,” he says. “There was no suggestion it wasn’t the company’s fault. It was transparent about what it was, what it learned and, more importantly, what it was doing to address risks going forward.”
Dr Jason Nurse, a reader in cyber security at the University of Kent, agrees it’s important not to downplay the impact of a cyberattack in any post-incident response, particularly when personal data is involved. “The reality is these attacks can significantly harm the livelihoods of people,” he says. That includes staff at victim organisations, Nurse’s own research has revealed, not only inside the IT department working at the grindstone of any post-incident response, but every single team supporting them.
What organisations shouldn’t do
Getting the communications response right can be a fine line. Burying one’s head in the sand by staying silent until a breach is made public isn’t a viable option, argues Burton. By that point, he says, “you’ve already lost the initiative.”
Burton recalls working with a very large public sector outsourcing company that decided this was a good idea. Said organisation rapidly lost the confidence of its stakeholders, starting with their customers. Equally, argues Burton, businesses would be wise not to speculate in public about the extent of a breach until they know exactly what is going on.
“If you go on record saying, we think it’s X, Y and Z, when that’s guesswork, if the reality is different, you’re going to undermine the confidence people have in the company,” he explains.
A good example of this was TalkTalk’s response to a breach it sustained in 2015. The mobile phone vendor initially said it had fallen victim to a highly sophisticated cyberattack. As it turned out, hackers had leveraged very basic techniques to prize open the firm’s systems and extract the data they wanted.
It’s also important not to engage in public ‘blame games’ with partners and suppliers, says Nurse, as this can further harm the business’ reputation. Additionally, it’s wise to avoid using social media to respond to questions or engage in conversation about the incident, says Kroll’s senior vice president for Cyber Risk, Christopher White. “And don’t issue broad employee communications unless you’re ready to go public about the incident,” he adds.
Burton says the length of time spent on any post-incident response will depend on how well the initial incident was dealt with. If an organisation has done everything reasonable to prevent it from happening (and on this point Ensign says they should have evidence of their efforts) and has been responsible, compassionate and gone to great lengths in trying to rebuild the confidence of important stakeholders, they have a good chance of surviving to fight another day.
“If, on the other hand, a company started badly, they may need to continue communicating to build confidence,” says Burton.
White, on the other hand, recommends not stopping after the incident is over, particularly if the company has suffered reputational damage.
“Companies may need to rebuild their reputation with certain stakeholder sets,” he says. “Active communication with those groups will be integral to that
“To understand how to refresh messaging, leaders should ask employees to document their interactions with external stakeholders – including the common questions they are receiving.”
What does success look like?
Ultimately, stakeholders must be reassured a company can control the situation and learn from its mistakes, which won’t happen if “the proverbial shutters come down and a company is very defensive and obstructive,” says Burton.
And the work doesn’t stop when a breach is resolved, adds Ensign. The first thing a company should do after such an incident, she says, is start preparing for the next one. “If you have had an attack and you’ve seen a serious impact on your reputation or on trust, that should tell you that you really weren’t prepared, and you need to immediately start putting yourself in a better position,” says Ensign. After all, the next attack could be just around the corner.