On 12 February 2013, U.S. President Obama issued an executive order that identified cyberthreats to critical infrastructure as one of the most serious national security concerns. The order outlined specific measures the government sector must take to align the country’s critical infrastructure with modern practices to maintain cybersecurity and the continuity of government. Since that time, a barrage of cybersecurity events have threatened both governments and the private sector around the world.
More than ever before, public relations practitioners must be well educated in the cause and effect of cyberthreats, and the significant risk cybersecurity events present. As these threats grow in frequency and complexity, practitioners need to elevate cybersecurity communication strategies in their crisis response toolkit to protect the brands they represent and encourage transparent communication with their publics.
For the public relations practitioner, the challenges of these types of events are significant. Practitioners face the challenges of communicating complex technical topics. Many lack the technical understanding of increasingly sophisticated cybersecurity terminology, which can create confusion when communicating with the public. Just take a look at some of the significant missteps in communication practice in some of these high-profile attacks: the Target data breach in November 2013 (perhaps one of the most highly publicized cyberattacks to date), Anthem health insurance in February 2015, the U.S. government’s Office of Personnel Management attack in June 2015, which significantly compromised national security, and the United Airlines breach in July 2015.
Clearly, no sector is immune to the risk, and the economic fallout is devastating. In October 2015, the Ponemon Institute released its study on the cost of cybercrime in the U.S. The Institute’s research concluded “that the mean annualized cost for 58 benchmarked organizations is $15 million per year, with a range from $1.9 million to $65 million each year per company.”
As public relations practitioners, we are entrusted with the reputation of the organizations we represent; we must learn to communicate technical issues, with a direct purpose and intent, and using clear narratives that reinforce organizational trust. Our communication must be clear and decisive, outlining actionable steps the organization is taking to mitigate the breach.
Practitioners must be able to understand highly sophisticated technical information and communicate it in a clear, cohesive manner. This means becoming versed in the communication of highly technical information.
Develop a cybersecurity response strategy
PR and other communication practitioners must create and follow a cybersecurity crisis response strategy and embrace the strategy’s communication objectives. Transparency should be the cornerstone of the strategy’s purpose and intent.
Here are five practical steps to take when developing your strategy:
- Assemble a diverse, cross-sectional, emergency cybersecurity response team (ECSR-T).
- Determine and appoint legal counsel competent in the intricate nature of cybersecurity events to protect the organization. If possible, include outside communication counsel to review your plan.
- Appoint a specific person—a communication practitioner—to take responsibility for the plan and cybersecurity incident response efforts.
- Regularly participate in briefings with technical members of the team to develop a comprehensive understanding of trending risks and cyberthreats. Continually evaluate your response strategy and embrace a culture of cybersecurity awareness that compliments your communication response strategy.
- Test likely scenarios for your organization to determine the effectiveness of your plan. Use focus groups to test your security and identity authentication systems. Consider a straw man fallacy approach to determine credible threats within your enterprise.
Understand the attacker’s purpose
In order to accomplish specific cybersecurity communication goals, the appointed communication practitioner must first understand the purpose of the attack. The technical experts advising you can provide real-time technical analysis of the attack, to help you home in on the suspected purpose, intent and target.
The team analyzes a variety of possible motives. Was the attack directed at intellectual property? Trade secret, top secret, or compartmentalized data? Financial or consumer information? What does your team understand about the attack? Each of these questions compliments your cybersecurity response strategy. Remember, stick to your plan, and follow your prepared narratives.
Consult legal counsel and integrate with government agencies
The firm Baker Hostetler has compiled a global list of privacy laws and what actions need to be taken in different countries in the event of a data breach. In the U.S., you should immediately communicate the incident to the Department of Homeland Security through the department’s Cyber Incident Response Center.
Follow the direction of legal counsel to protect your organization. This requirement offers transparency to law enforcement and is a critical step in developing a close working relationship with law enforcement as you move through the crisis.
Reinforce trust through transparency
Many organizations have faltered in affording the public transparency in communicating about cyber-related attacks, an error that erodes confidence, trust, and in some cases, shareholder value. As leaders in public relations and communication strategy, it is our duty to communicate with our audiences transparently, sharing what we know.
The only caveat is we must not jeopardize an active law enforcement investigation. This consideration is part of your toolkit and can serve as a method to slow down the distribution of information as facts are discovered, making it less likely that you will need to issue retractions or corrections to statements later on. Communicating transparently helps the organization control the narrative and response strategy and minimizes the disastrous impacts of negative publicity.
Have confidence in your plan
Cybersecurity threats are real and must be addressed proactively. Following a simple crisis response strategy and using third-party experts when possible will provide your organization with ample resources to address a cyberattack with confidence. Stay current on trends that influence the cybersecurity world. Familiarize yourself with common terminology and ask questions of your technical staff and security experts. Rigorously test your plan and deploy real world tests to insure successful communication outcomes. Communication strategies that proactively address cybersecurity events will minimize their impact, encourage positive outcomes, and enhance trust with your organization’s stakeholders.