4th June 2020
Cyber reputation: Empathy matters more than technology
In the case of cyber attacks it is important to act quickly to protect data and restore reputation, for the affected companies. Recent cyber crises have shown that there are four phases of communication from which companies should derive forward-looking, preventive crisis communication in order to operate active cyber reputation management.
A DDoS attack cripples servers, hackers steal customers’ data or sniff out sensitive corporate information – the scenarios for cyberattacks are menacing. With a strong shift to remote working during the COVID-19 outbreak, opportunities for hackers increased dramatically. Attacks are unfortunately a common part of everyday business life. According to Dell’s Global Data Protection Index 2020, the majority of organisations worldwide suffered a disruptive event in the last 12 months (82 percent in 2019 compared to 76 percent in 2018). The front line of defense around the clock is IT security. However, it is not only IT systems and company data (the intellectual property) that are at risk, but also stakeholders’ trust. They want to be sure the company has cyber risks under control and handles the data entrusted to it responsibly. That is what we call cyber reputation.
But no firewall can protect a company’s reputation – communication is needed to defend it. If enterprises leave questions unanswered, take a poorly crafted response or become tangled up in legal pitfalls, even minor incidents could turn into a serious reputation crisis. That means the target of an attack can soon be perceived as a culprit who says nothing, covers up or makes false promises.
The first and foremost priority of the experts in charge is, understandably enough, to address operational issues regarding IT security. Yet good communication is just as important. And it is achieved not through technical explanations, but by focusing on the people affected and their worries, needs and fears – throughout all phases of the crisis.
The lifecycle of a cyber crisis
Recent cyber crises have shown that there are four phases in communications:
The discovery phase begins when a company realises it has fallen prey to a cyberattack. In this phase, companies often focus on the incident’s technical aspects, such as the question of how an external actor was able to access their systems. The focus is on identifying the vulnerability and closing the security gap as soon as possible. While understandable, this is often to the detriment of a timely communications response. Apart from asking “why did the incident happen and what can we do to prevent it?”, the critical question should now be: “How do we protect the interests of our stakeholders in this situation?”
The disclosure phase brings with it the inevitable need to disclose that an incident has occurred and to actively communicate with the affected parties. The focus now should be on the subjects of the breach, the concerns of employees, business partners and customers. It is crucial to mitigate stakeholders’ fears as quickly as possible and to strengthen their confidence in the organisations’ ability to effectively navigate the crisis. If that is not the case and stakeholders have the feeling that the company does not care about them, that will increase anxiety amongst those affected and their trust in the company will dwindle. Stakeholders need to understand and, most of all, see how the company is battling on their behalf and will act once the crisis is out of the limelight. Creating a sense of transparency and ability to support those affected should be accompanied by empathetic understanding and appreciation of the situation at hand. Saying too much too soon could cause unnecessary stress, but saying too little too late could be even more damaging. That is all the more important if third-parties engage, whether on-the-record or through social media, by giving their often uninformed, critical and hence reputationally damaging take on events.
In the live handling phase, IT is still working to resolve the problem, while communication has to control how the matter evolves further. Companies need to get ahead of the story and anticipate developments. They have to explain every single step and, in doing so, engage with the interests and wishes of their stakeholders. An unpleasant aspect of cyber crises is that those in charge typically have no relevant past experience to relate to in their decision-making process. Therefore, in order to avoid serious mistakes, the company’s various divisions and outside experts must work together closely and in a spirit of trust. The communications team should be already planning for the period after the peak of the cyber crisis and initiate first steps in this phase.
The transition to the fourth and often longest lasting phase, reputation recovery, occurs naturally post any data accident situation. To restore stakeholder trust, the company must remain engaged and provide frequent information and updates to the affected individuals. In order to do this successfully, all stakeholder communication should always clearly outline all the measures that have been taken while reassuring stakeholders that protecting their interests will remain a priority longer term. Once more, the main emphasis here is not on the technology, but on empathy and accountability.
After the cyber crisis is before the cyber crisis
Anyone wishing to take proactive and preventive steps will stage cyber crisis workshops to develop a communications toolbox defining the management and decision-making processes, initial strategies and messages for various scenarios. That not only allows the communications team to prepare for a real-life incident mentally, but also organisationally. Such workshops also give the various corporate functions a controlled environment where they have the chance to test how well they co-operate. As a result, preventive crisis communication is transformed into active cyber reputation management for stormy times.
What makes cyber crises so special?
Compared to other crises, cyber crises have three special features that have a major impact on the communications strategy:
The attackers and their objectives are typically only uncovered very late – and sometimes never at all. It may be the case that only the path (vector) used by the attacker to gain access to a system can be identified. Even after a security gap is discovered, it is often difficult for companies to say reliably how much and which data has been compromised. Moreover, when the data involved is financial or represents sensitive personal information, it may cause major damage to those affected when in the hands of hostile actors – such data could range from medical results, credit card details to information allows for identity theft or social engineering. Needs to be ‘allowing’. Following introduction of the European General Data Protection Regulation, companies have to adapt to a situation where regulatory authorities and data protection officers will closely monitor their activities after cyber incidents. Serious misconduct may be punishable by fines running into the millions.