This is a guest post from Dr Marcus Thompson AM, Chair of ParaFlare and the first Head of Information Warfare for the Australian Defence Force, and Carlie Gibson, Director, Marketing and Communication at ParaFlare, following last week’s webinar, Protecting your reputation in the age of cyber warfare. You can watch a recording of the webinar here, or listen to a recording here.
Welcome to the age of cyber warfare where everyone is a target, and the smallest security flaw can cost an organisation dearly, in terms of both money and reputation.
One small gap in an organisation’s security armour – the individual who clicks on a link in a phishing email; a simple administration password; a security update patch ignored – is an attack opportunity that a cyber threat actor will exploit without even trying. Honestly, that’s the simple stuff they just love. These are not complex or sophisticated attacks.
Are we at war in cyberspace? No. But are individuals, groups and nation states using the tactics of cyber warfare for personal, financial or political gain? Absolutely.
And for all the communication professionals reading this article (who are, let’s face it, the intended audience), preparing for a cyber-attack should absolutely be part of your strategic planning. If it’s not in a strategy, a crisis management plan, or a risk matrix of some description, it definitely should be after reading this article.
Consider, for a moment, some of the recent data breaches we’ve witnessed. CEOs have fronted media conferences in tears. Customers have taken to every social media channel to vent their frustration. Commentators have criticised every decision that data-breached companies have made. Shareholders have expressed outrage. And all of this has played out in the minute-by-minute news cycle.
It’s a living nightmare for everyone involved.
So how do you protect your reputation in the age of cyber warfare?
You start with the basics.
1. Find out if your organisation has an Incident Response Plan that includes consideration of a cyber security incident.
A good Incident Response Plan details how your organisation will respond to any crisis, including the procedures your security team can use to identify, eliminate, and recover from a cybersecurity incident. It may involve bringing in specialists – such as a cyber security company – to assist with the incident response.
The incident response plan should set out the roles and responsibilities for every person involved in the response to a cyber incident and align with your business continuity plan. A communication lead should be part of any Cyber Incident Response Team (CIRT).
The Australian Cyber Security centre has a helpful Cyber Incident Response Plan guide and template to get your started.
2. Test your Incident Response Plan against a potential cyber-attack.
It’s not the plan that’s most important – it’s the planning. A tabletop exercise or simulation is the best way to test and rehearse the plan, find the gaps, and make sure you’ve got them covered. You might be surprised just how under-prepared you may be to respond quickly in the event of a cyber incident, and this can be the quickest way to get the attention of your C-suite, Executives or your Board.
The Incident Response Plan may be supported by other more detailed procedures, and there’s no ‘one size fits all approach.’
Given the increasing frequency and scale of cyber attacks in Australia, your plan should be tested and updated regularly. Don’t let it gather dust on the shelf, and make sure new staff members know what it is and where to find it.
There are cyber security specialists who can assist you to run a tabletop exercise or simulation and provide a comprehensive report to your leaders and your Board. This can be a valuable investment that can save a lot of time and money down the track.
3. Plan and prepare ahead of time
Preparation through risk mitigation is second nature to most communication professionals. Every good communication strategy includes key messages, media holding lines and statements that can be prepared ahead of time and updated quickly. A cyber incident is no different.
This will force your organisation to consider the following, saving you time in the face of a crisis:
- Who is our spokesperson? (You may have more than one depending on the audience and channel).
- With whom do we need to communicate? (Customers, staff, regulators, law enforcement, stakeholders, shareholders, suppliers, Board members, media, etc).
- What is the priority order of our communication activities? (Every organisation will be different, but customers should be at the top of the list).
At this point, you will not know exactly what you will say in the face of a cyber incident, because every situation is different. Simple holding statements will be helpful and can be adapted for different audiences or channels.
What you can decide right now is how you will approach your communication. Start with your organisation’s values, and the basics of crisis communications.
Tell people what you know. Tell people what you don’t know. And tell them when and how they will hear from you next. Authenticity is key!
Investigations into cyber attacks are complex and information may come to hand slowly. As recent high-profile incidents demonstrate, the circumstances you’re facing at the start of a breach can deteriorate very quickly. Never understate the seriousness of the situation until you have all the facts. Everyone is hurting, so make sure you show genuine empathy in all of your communication, including staff.
4. Make sure the comms lead has a direct line to decision makers
In the event of a cyber incident, a communication lead must have a direct line to the senior leaders and decision makers within the organisation. Their advice should not be filtered through layers of middle management. There simply isn’t time, and their advice and expertise is way too valuable.
Most communication professionals have spent years honing their craft. They live and breathe reputation management. They will champion your organisation at every opportunity and protect its reputation with every fibre of their being, especially when something goes wrong.
5. Promote a culture of security within your organisation
You can’t spin your way out of a cyber-attack. The investigation that follows will reveal the truth. Most attacks happen because humans make simple mistakes. The result – the loss of control over sensitive information or customer data – can be catastrophic.
Cyber risk can never be reduced to zero. A determined hacker will find their way into an organisation. Once inside the network, it’s the highly specialised cyber operators who find them, and kick them out.
A mature approach to cyber security should be part of your organisation’s culture. To achieve that, everyone has to invest in it – from the top down. Cyber security needs to be part of your onboarding, ongoing training, and staff engagement activities. Everyone needs to know what to do if they receive a phishing email or if they click on a suspicious link. And everyone needs to accept the inevitable restrictions on their online activities in order to be cyber secure. When the worst happens, organisations that have followed steps one through five will be on the front foot in the face of a cyber incident, and much better prepared to protect their organisation’s reputation.