IT security incidents are not only a challenge for security experts, but always affect the entire organization. In the event of an emergency, the technical solution level is accompanied by the communication level: Who needs to be informed about what and when? How can the risk of loss of reputation be minimized? In addition to good preparation, this is also determined by the successful implementation of crisis communication.
A serious cyber incident puts organizations under stress: regular work is no longer possible (or only partially possible) due to technical failures; information about the causes and scope of the incident is initially not available; hierarchies and process flows are no longer reliable, as the distribution of tasks must be redistributed given a previously unknown situation; and so on.
When people are confronted with an unknown and dangerous situation, they tend to react emotionally. The emergence of panic is therefore not uncommon, and a wrong reaction to the crisis can result in similarly bad consequences as the crisis itself. Such consequences must also be considered on the technical level — after all, there are still people sitting at the computers, acting and reacting accordingly. These “side effects” of an IT and communications crisis can be prevented with appropriate planning and training.
Addressing a potential cyber crisis in advance is by no means tantamount to “admitting” too weak IT security. Rather, it helps to prevent possible scenarios — even if the emergency never occurs — but also to better understand the impact of risks on stakeholders. For example, a DDoS attack on an e-commerce front end would primarily affect sales, while a data leak would affect both customers (who must be informed according to the GDPR) and the authorities. Prophylactic crisis management scrutinizes which internal and external communication channels are already functional and which ones should be expanded if necessary.
Every IT organization should have a plan for crisis communication
Planning for crisis communication does not guarantee correct action in an emergency, but it does at least ensure that emotions do not boil up as much among those involved and that they can take the first steps without delay. The literature distinguishes four phases of crisis handling: 1. preparedness, 2. preparation, 3. crisis management, 4. follow-up. The first two phases take place in the normal state, the third during, and the fourth after the actual crisis.
In the technical area, precaution and preparation can be associated with vulnerability analyses or penetration tests, for example. The communication side, on the other hand, includes measures such as the creation of a communication guide, an emergency list with contact data, and also the establishment and maintenance of functioning communication channels with the relevant stakeholders. Often, this activity is given a lower priority due to other areas — but the consequences in an emergency can then be all the greater.
In the end, however, it is also true that a plan is always only an abstraction of reality that does not always correspond with the reality of an incident. “No war plan survives the first clash with the enemy,” Clausewitz once wrote, and this also applies figuratively to contingency plans. In the real situation, it is then a matter of retaining those parts of the plan that work; and changing those parts of the plan that do not work or are based on false assumptions.
If a technical risk assessment related to cybersecurity is already in place, this is a good starting point for communicative crisis planning. As mentioned earlier, different interests and stakeholders are affected depending on the type of cyber attack, so the communication strategy should also adapt to this.
However, it is important to note that technical and communication risks may well diverge. For example, after a data incident, IT systems may still be intact because the cybercriminals “only” stole the data without disrupting its functionality. However, the consequences are enormous, which include reputational damage and legal repercussions. In addition to forensics, they also entail a high communication effort to regain at least some of the trust that was lost through the incident.
Methods and tools for proper handling of communication crises
To remain capable of acting during the crisis management phase, the appropriate tools should be provided in advance. A basic set of preparation tools could look like the following (although many more items could be added, of course):
Crisis organization chart and “war room”: when an IT incident occurs, there is initial uncertainty about who is responsible for crisis management. Different departments still need to work together for a solution (e.g., the IT department in fixing the technical problem, marketing in crisis communication), and at the same time leadership is needed. To clarify roles and responsibilities in advance — because they may diverge in the event of a crisis — it is advisable to have a crisis organization chart that defines resources and areas of responsibility. This helps to avoid conflicts arising in the hierarchy and organizational structure that could stand in the way of a quick solution to the problem. Close coordination between those responsible is also very important in the event of a crisis. For this purpose, a communication room should be prepared where they can meet. In addition to a physical room, this can also be accomplished by a digital collaboration tool in which all relevant information is aggregated and made available for quick access.
Stakeholder analysis and communication: Very important for successful crisis communication is an answer to the question: With whom am I communicating and what message is being conveyed? For crisis management to succeed, not only reactive but also proactive communication is required. Therefore, a precise analysis of the potentially affected stakeholders should be carried out in advance. Based on this analysis, communication channels can then be set up or at least prepared to be ready in the event of an emergency.
Text modules and “hidden website(s)”: When the crisis arrives at its peak, long release loops for communication measures are very counter-productive. Therefore, depending on the expected incidents and affected stakeholders, language rules should be in place that enables quick response. Of course, these are adapted to the current state of information. The so-called “hidden website” is a website that is already pre-formatted and can be published quickly. Here, affected and interested parties can access all the information that the company is currently releasing on the status of the crisis. The website creates public awareness and helps maintain communication control over the crisis issue.
Awareness training for the workforce: In addition to the strategy for external crisis communication, there is also a need for internal rules of conduct and communication for employees in a crisis. For example, it could be a call from a curious journalist or angry customer describing a cyber incident. Or even the failure of the endpoint device an employee is working with. In such cases, employees should know how best to respond. The content taught in training courses can also be put into practice. Everyone still remembers the test-fire alarm from their school days, which was carried out at regular intervals. Similar unannounced simulations can be a useful means of sensitizing employees to communication risks.