Cyber Attack Recovery Plan: PR Crisis Management Tips

Cyber Attack Recovery Plan: PR Crisis Management Tips

5 July 2021

What happens when your organisation is subject to a cyberattack? The success of your cyber attack recovery plan hinges on the quality of your pre-event planning. Cyber attacks are now occurring with record-breaking frequency, costing the global economy trillions. Successful crisis planning for cyber attack requires a cross-departmental cooperation from management, IT, operations and marketing teams.

Our Associate Director Rasheed Abu Bakar shares his insights on common cyber attack problems, crucial elements in the cyber attack recovery plan and an often-overlooked element of cyber security attacks — the recovery phase.

Cyber attack case study: RMIT University

In February 2021, RMIT University in Melbourne was hit with a nasty cyber attack, which caused havoc with student enrolments, staff wages and student services.

It’s unusual for hackers to target a university, it’s typically large corporates that are the victims of these sophisticated hacks. So I can’t help but wonder if the University was vulnerable to an attack for some reason, or if its cybersecurity was lacking. Perhaps it is simply that hackers are pivoting to new targets in 2021? We can’t be sure, however it does serve as a warning to those in industries not considered particularly vulnerable — hackers can still strike you too.

The University shared a Facebook post about the problems, which was a good way to inform followers of the downtime. However it certainly downplayed the serious nature of the incident. Comparing the language used by the university with the coverage in The AGe, and you can see the discrepancy in messaging. However, RMIT made an effort to answer everyone’s questions in the comments, which showed a good level of care, transparency and commitment to honesty.

Hackers wisely chose a particularly vulnerable time for RMIT — when teams would be busy with online enrollments for students returning in the new year. Managing systems in-house or relying on a third party-vendor may have impacted its security risk.

The importance of the crisis plan

Ideally, RMIT University would have turned to its crisis management plan to facilitate a speedy response. The first priority should always be gathering senior decision makers and internal stakeholders to formulate a reaction. Often in these scenarios, the call centres and front line staff are the face of the organisation, and tasked with answering questions from the media and the public. Without leadership and direction about messaging, they will be left to provide answers as best they see fit — which may be inconsistent, incorrect or even harmful.

By specifying elements in advance — communications chains, who to contact and even practical elements like their best phone number, the crisis manual can shape that initial response and put your organisation on the front foot to respond appropriately and in a timely manner.

The crisis in plan should never have a final copy. Instead, it is a forever work in progress document. Organisations need to know that they will constantly need to review and edit it, based on industry changes. Especially in the cyber crime space, where sophisticated hackers keep improving their attack style.

A crisis manual should include dedicated cyber attack instructions

Given the relatively high likelihood of cyber attacks and cybersecurity breaches among any organisation’s list of potential crises, it’s vital that your crisis manual includes specific instructions on how to respond. It should be fluid enough to cover a wide spectrum of potential scenarios, and flexible enough that it empowers rather than constricts teams’ decision making abilities. Rigidly strict crisis protocols can hinder rather than help, and time is of the essence. Making decisions in advance of the crisis can facilitate a speedier reaction time.

Practice helps

The boy scouts and girl guides were right: be prepared. Practical training for potential crisis situations will mean that your team members are more confident in dealing with the real thing should it unfortunately arise. Preparation activities may include simulated crisis training sessions, media training for spokespersons and workshops should be a regular and repeated part of any effective management plan.

Dealing with hacker demands

Hackers are increasingly sophisticated, so your cyber attack recovery plan must be equally comprehensive. A crucial element is considering in advance how your organisation will respond to hacker demands. Cyber security teams should be prepared to consider their powers when it comes to negotiating with hackers. Allocating adequate resources to your security teams and empowering top-led decision making is vital during this vulnerable stage.

It’s important to evaluate risk according to the evidence. Hackers will attempt to persuade you that your systems are under their control, so it’s important to provide your own resolute proof of their claims. Serious threats should be escalated to authorities when necessary, who can help you tailor your response. It can be difficult to generalise here, as the nature of attacks vary greatly. Hackers aren’t known to be trustworthy, so conceding to demands is often futile, and sends a signal that your organisation is willing to acquiesce, making you potentially vulnerable to future invasions.

Assign a resource to lead media relations

While senior IT leaders, operational teams and company management focuses on dealing with cyber security problems, someone must be assigned to take care of media relations, acting as company spokesperson. While burying the story is often what company executives demand, it’s more realistic to expect and manage media interest if the cyber attack is a significant story. Let’s not pretend the media will just report something else if you fail to give the story oxygen. They’ll simply seek third party commentators, your customers or other stakeholders for their say, leaving the story to continue without your participation, and risking considerable damage to your reputation.

Understanding the nature of media cycles and providing timely, professional and transparent updates to media is crucial. So your crisis management plan should include allocation of a key responsibility to a senior leader in your organisation who’s willing and comfortable in the role. Strong media training and spokesperson experience is vital here — you don’t want to send an untrained rookie to face a hostile media conference.

Equally important in this space is your internal communications. As RMIT experienced, your staff may speak to the media, perhaps anonymously. Keeping your employees informed (to a reasonable extent) and aware of your policy of directing media enquiries through appropriate channels will help mitigate any risk of frustrated employees speaking to persuasive journalists.

Hackers want attention

Mitigating media coverage would be the ultimate goal. However, as previously mentioned, a realistic approach is best. A proactive media response can get you on the front foot and establish trust in your ability to respond to the cyber attack. On the other hand, you don’t want to preemptively announce that you’re dealing with an issue if you feel you can possibly avoid unwanted scrutiny. Balancing these opposing challenges is difficult, so it’s impossible to give generalised advice. Only the nature of the specific PR crisis will be able to determine your decision making process.

The first wave of interest is only part of the crisis plan

Once media interest dies down and the crisis is managed the recovery stage is an often-overlooked element of the cyber attack recovery plan. During the first and immediate stages of the crisis, it’s all hands on deck. Resources are freely available. However as pressure eases, some organisations breathe a sigh of relief and revert to a business as usual method. However, the public relations aspect is only just beginning. Your reputation has taken a hit — unfairly and frustratingly, and it’s your responsibility to rebuild that positive perception amongst your core audiences.

We recommend a strategic and sustained campaign that seeks to reposition your organisation strengths, celebrate successes and re-educate your target audiences on your brand values and contributions. Silence can be dangerous here. While it’s tempting to put the crisis behind you and move on, without reminding your stakeholders what your brand is truly about, your crisis may become the defining moment that shapes the public perception of your organisation.

Consequently, we plan for a detailed, strategic and highly customised, data-driven response to the crisis that seeks to establish goodwill on a longer term. Not only does it minimise the impact of the problems in the eyes of your markets, it also sets you up with plenty of consumer trust and strong reputation which can be drawn in in any future crisis.

Sandpiper Communications specialises in strategic crisis planning and hands-on crisis management during times of corporate adversity. To learn more about our PR crisis management strategy, contact our team

.

You may also like: