PR for Cybersecurity Incidents

Want to listen instead?

PR for Cybersecurity Incidents

When IT consultants discuss cybersecurity, we often talk about building walls of protection for clients. We recently invited Mark Frederickson from SnappConner PR to our Between the Bytes podcast to speak with us about how his public relations firm works for clients in much the same way. This pro with 30+ years of marketing and e-commerce experience has been involved in the tech industry since 2000. He likens PR’s role to building a fortress around clients’ names and reputations.

That protection is essential because, as he notes, many organizations’ IT experts are dealing with sensitive information, including social security and credit card numbers. While he has had to respond to several incidents over the years, none have risen to the level of the headline-grabbing scenarios that make us all shudder. And that’s a good thing! Mark helps his clients avoid that level of bad publicity by having a proactive crisis communications plan in place before something goes awry.

The Importance of Cyber Crisis Planning

A crisis communications plan can assist in any type of crisis. Mark emphasizes the importance of getting your team together to discuss the potential types of crises that might impact your business. That might include the earthquake that rocked the valley several years ago, other natural disasters, a breach of trust, or a criminal act. Along with those, you should include the possibility of a cyberattack.

“Any kind of crisis can spin out of control and be publicized very, very quickly. Whether that’s on social media or [even] word of mouth can travel fast,” he notes.

Who should be sitting at that planning table? Of course, a PR professional and members of your executive team, IT experts, HR professionals, internal communications, and legal experts. By putting this team in place before a crisis happens and getting them accustomed to working together, they will be better equipped to handle any situation.

What comes first?

Remember, the most important thing your team can do in the event of a crisis is to get it resolved. Whether that’s a physical threat to a facility, a cyberattack, or a legal issue, your first step is to take whatever action is needed to fix or minimize the threat.

The next issue is getting communications out to those impacted, whether employees, stakeholders, clients, or the general public. In the case of a cyberattack, whom you notify should be decided by your core team. You’ll have specific reporting requirements that may vary based on the type of incident and where you are. Your legal experts should always be consulted for current information.

When possible, as Mark explains, take a moment to understand the situation and its impact before you determine your reaction. For example, he once worked with a company that recycled oil. They had a small explosion at a facility that was completely contained. Of course, 911 was called, and the fire department showed up, even though there was no fire. The media picked up on the police call. They ran a few second stories with a photo of the plant, saying there was an explosion with no injuries, and everything was contained. That level of coverage did not require a full crisis response.

Fast, But Accurate PR for Cybersecurity Incidents

The key Mark mentioned is the ability to tell your story first but accurately. In the above scenario, that was simple. In a cyberattack, you might not know the full extent of the damage or its impact. In that case, let the media know what you are doing, and if you have it, provide an estimated time when you will learn more.

“If you clam up and don’t say anything, then someone else will tell your story, and they’ll speculate about what happened or what the impact is,” Mark notes.

Recently, Okta got in trouble by playing their breach close to the vest and not releasing much information. The person who breached them craved more publicity, so they released screenshots showing what they did, what they took, and when, which put the company in a bad situation.

“That’s what makes crises so difficult,” Mark explains. “You need to tell everything that you know or that you can tell as soon as you can as you know it and as soon as you can tell it. If you don’t, and if you try and not say anything and maybe even hold information that you know or that is pertinent to your audiences, then someone else tells your story, and then you’re on the reactive part of communications, and then people will view you with less trust. If you go out with information that you know, as soon as you know it, then people will begin to trust you.”

He notes that it’s also okay not to know everything. Saying that you have not yet determined which systems have been impacted and providing a timeline for when you hope to have information effectively manages communications. And if your timeline shifts, communicate that as well. What’s essential is that you have a cybersecurity team in place which is actively working to understand the extent of the damage and correct the problem. If you don’t, it can look as if you don’t know what you are doing, which is equally dangerous from a PR perspective.

Preventive Maintenance

You can do other things to help before a crisis, one of which is establishing a good relationship with the media.

“If you’ve got a track record of meeting expectations, that will really help you in a crisis period because that goodwill can be used to say, ‘Just as we’ve done in other times, we’re going to communicate this to you,'” Mark explains.

Likewise, you want to be sure that you communicate with key groups regularly so they don’t just hear from you in a crisis. Those people include your employees.

Mark also noted that some organizations have misconceptions about what crisis PR can do.

“We can help bring some control to the situation, but we can’t fix the problem,” he notes. “What we do is help tell the truth of the company to the target audiences.”

Your PR team will be involved daily in building that positive fortress around your name in an ideal situation. If a crisis does occur, your public reputation will be strong enough, and your communications plan solid enough to withstand any scrutiny.

This article was written from one of our podcast episodes on Between the Bytes, check it out here!

Related Insights