Your organization is going to experience a cyberattack. It may occur today, tomorrow, or several months from now, but it’s going to happen.
Are you a doubter? Don’t take my word. Ask executives at Anthem, the Democratic National Committee, Sony, Target…the list goes on and on.
Certainly, you need to include your IT and risk teams as you work to grasp the scope of your predicament. But let’s face it; these technicians are generally not the spokespeople you want as the face of your organization. Your customers, members, and the public at-large deserve to hear the news and your planned next steps from your top brass.
There are lots of suggestions on how to firm up your IT department: hire more people, sign a contract for anti-hacking services, intensify your email filters, etc. But here’s a critical question that is too often ignored: How can you ramp up your communications capabilities? There seems to be far less research on this aspect of a cyber-crisis, so here are some ideas you can use:
- Organize regular simulations on cyber threats.
- Craft your basic message before an attack occurs. You cannot guess the exact nature of the hit you will take, but you can shape a template that outlines a general message you can fine tune later.
- Decide which executives will speak to your public. This should be your CEO, barring a compelling reason to the contrary.
- Hold regular media training workshops for any and all potential spokespeople. This means more than a “one and done” check-the-box session.
- Insist that your communications, legal, and public affairs teams play nice together and anticipate how much to say (lawyers typically want to say little while communicators prefer more sunshine).
- Establish a relationship ahead of time with an experienced communications training consultant who can guide your leadership through the challenge of communicating your situation before, during, and after the attack. If you have a retainer with a public affairs or public relations agency, confirm that they have a full-time staff member dedicated to this specific type of expertise.
- If your issue runs the risk of incurring governmental oversight, prepare your executives before they are summoned to appear before Congress, state lawmakers, or federal or state regulatory bodies.
- When the attack comes, fine tune your messaging document, making it specific to the situation at hand.
- Hold periodic reviews of your messaging as your crisis evolves. This can sometimes require hourly or minute-by-minute modifications.
A cyberattack is bad enough. Failure to communicate will seal your doom, tarnishing your reputation. The survival of your organization rests upon how skilled you communicate in the face of this almost inevitable crisis.