Why traditional crisis management techniques don’t work with a cyber incident, and may even make things worse

In a conventional bank robbery you have three main parties, the bank (which needs to keep money on the premises), the customers (that needs to be able to enter the bank in order to withdraw money) and the bank robbers (that turn up with guns and attempt to withdraw more money than they’re entitled to).

When the press report on the robbery they paint a narrative which identifies the villains and victims. In this case the victims and clearly the bank and its clients, while the villains are the bank robbers.

Conventional crisis management and public relations text books all agree that in any such crisis, the first tactic to use is containment – hush things up in the hope that there will be no coverage at all. Obviously, it’s hard to hush up a very public robbery involving men with guns, so the next step is to be open about things and to show empathy. Typically you put a senior executive forward to show that you are taking things seriously – the theory being that as a victim all you have to do is show empathy (with other victims such as your clients) in order to gain sympathy. Easy – as the top textbooks agree:

  • Crisis Management Playbook: “The first rule of crisis communications is to admit your mistakes publicly. While this may drive your lawyers crazy, it will build tremendous good will in the court of public opinion”
  • Public Relations (Baskin): “Honesty is no longer just the best policy, it is the only policy when even painful truths cannot be securely and permanently hidden … Complete candour and forthrightness is the only way to achieve credibility … releasing what was previously considered confidential information.”

Now imagine that the same bank is hacked. This time the three main parties are the bank, the customers and the hackers (whose identity is unlikely to be known and who may be long gone – the average breach takes over 200 days [more than six months] to detect).

When the press report on the incident the customers will again be the victims, but rather than framing unknown hackers as the villains, coverage will pin the blame squarely on the bank for failing to prevent the hack. And the public will agree – 72% of UK residents would blame the company—and not hackers—for losing personal data.

Containment is impossible as GDPR mandates prompt disclosure. And putting an executive forward for interview when you are the villain is just asking for trouble and putting yourself in the firing line.

Instead a totally different approach is required:

Step 1: Rapid incident response, problem resolution and forensics

You need an expert team to fix the problem as quickly as possible and to not only find the cause, but also ascertain the full scope of the data breach.

Step 2: The need for a legally defensible narrative to counter regulation and litigation

You need an expert legal team to interpret the technical forensics and shape legally defensible narrative for use with any challenge from regulators or litigation.

Step 3: Reputation management to counter negative press coverage

You need an expert cyber comms resource to help your team deal with added complexity and enhanced comms workload – as well as potentially angry or concerned customers.

Step 4: Social response to counter hysteria and misinformation on social media

Finally you also need top global social influencers with the authority and reach to counter misinformation and hysteria.

Yeah but we have that covered!

No you don’t. Companies like Marriot and Equifax that were hit by very public data breaches, all had inhouse IT, legal, comms and social media teams. They also had external support from IT service providers, retained legal firms, retained PR agencies and social media consultancies – but NONE of these were cyber incident specialists and NONE of them understood the difference between the standard approach outlined in all crisis management and public relations text books and the approach (outlined above) that is required following a cyber incident.

They all made mistakes early in their response that end up costing them dearly in the long run.

For example with step 4 (misinformation), Marriot had quickly identified the fact that the incident related only to the booking system for its Starwood subsidiary and not the booking system for the group as a whole. It failed to move quickly to address and counter misinformation on this front and panic ensued with press coverage and social media posts referring to the whole group and all its hotel chains.

Obviously when it has been impacted in this way a company’s own credibility will be at an all-time low. However, if it had been prepared by developing relationships with leading security and privacy influencers in advance then it could have leveraged their credibility when it matters most.

Conversely, Huawei’s 5G equipment has been in the firing line for months, but it worked with the top global privacy influencers. They have helped it to counter misinformation in the press and on international broadcast TV.

Likewise with step 4 (hysteria) when a major telco faced a set of security related issues, it worked with a team of top global social influencers to successfully distract from these by creating a social storm elsewhere. Millions of posts and views on a secondary issue chosen by the telco succeeded in capturing over 95% share of voice, meaning that the security issue it feared most went almost unnoticed and hysteria related to it failed to go viral.

In the next two parts of this blog series we will look at cyber security insurance and crisis preparedness (which is rapidly becoming a ‘source of competitive advantage’).

Part 2: Cyber security insurance – the small print, the exclusions, the restrictions and the gaps in cover

• How policies may not pay out for the next global outbreak like WannaCry, for criminal activity or for cross-border incidents?
• How cover may not extend to your cloud provider, IT services provider, business partners and supply chain?
• Where is the line drawn between a cyber incident covered by cyber insurance and a business one covered by business insurance?

Part 3: Prevention is always better than the Cure

• Act now on prevention – it’ll be less costly in the long run
• Be prepared for the worst though – how crisis preparedness is now a critical business capability
• It isn’t even optional – if you don’t test your processes, you’re not GDPR compliant