In part one of our Speaking on Cyber series for Cyber Security Awareness Month this October, we sat down with Anne Marie Quinn, Senior Vice President & Partner at FHR, to learn why all businesses should have a cyber communications plan ready in advance of a data breach.

Today, we move to the immediate communication actions that businesses must take following a cyber incident. All too often, Canadian companies and leadership teams are caught flat-footed and completely unprepared for a data breach. Without a clear roadmap, executives are left scrambling for answers and unsure who to bring in, what to say, or when to say it.  

To understand how to communicate during a breach effectively, we turned to Charles Muggeridge, Senior Vice President, Partner at FHR, a seasoned communicator with decades of experience helping guide organizations through crisis.    

‍Key takeaways - communications during a breach

• Ensure your comms team has a seat at the table from the start

• Understand the communications needs of the stakeholders who need to be engaged
• Establish listening measures for both social and traditional media
• Communicate transparently and accurately with your audiences  

‍Speaking on Cyber: Q&A with Charles Muggeridge

‍What are the first steps an organization should take following a breach?

The Cyber Incident Response team needs to be identified and then convene quickly. The team should include a breach coach (external), cyber experts (external), legal experts, IT operations specialists, public affairs consultants, and, of course, breach communications specialists (external). Once everyone is in the room, you need to determine the protocol for decision making. Then there are some basic questions that need asking – are we covered by cyber insurance? Do we have a cyber breach response playbook? Are additional experts needed and can we bring them to the table immediately? Then the team needs to understand what happened, who may already know about it and immediately start working on a communications response strategy. A big part of what the communications team does is help translate the often-technical information related to the breach into plain language for customers and employees.

‍What are the implications of communicating too quickly?

Following a traditional crisis communications model, many organizations rush an internal and/or external statement out in an understandable desire to be transparent and immediate. However, you need to understand that communicating around cyber security is different. As the situation unfolds, there is a lot you won’t know, and it is better to be accurate than to speculate and have to walk information back. This will only lead to more questions that will inevitably distract you from your end goal: ensuring your company and your customers are protected throughout the incident.  

Remember that everything is on the record, including initial employee communications about the incident. Rushing employee comms out can create leaks, as well as unnecessary concern from employees/customers/stakeholders. So, go out and be timely but don’t rush to conclusions and statements that your investigation has not established.  

What are the implications of communicating too slowly?

Transparency and accuracy are crucial, but so is timeliness. The key is that communication needs to happen as quickly as possible once facts are available, because you can’t be seen to be sitting on information that has a direct impact on individuals, whether employees or customers. Organizations will be challenged when there is unnecessary delay, as the media and public will focus on the discovery-to-notification time gap.  

What does the ideal handling of a cyber incident look like from a comms perspective during the incident?

Things are going to move at lightning speed and with your brand’s reputation at stake, your communications team needs to be involved with all key decisions right from the start. They also need to be entirely aligned with legal and the breach coach. From a communications perspective, an ideal scenario would look like the following:

• The right comms team would be established early – This team would have “seen-it-all-before” senior experience and would be closely aligned with the other members of the Cyber Incident Response team.‍

• The team would understand the situation – This team would know what you can and can’t say. They wouldn’t rush communications in the absence of known facts about the incident and would have basic foundational messaging in hand to rely upon.  

• Listening would be established early and conducted often – The communications team would monitor both social and traditional channels. It’s imperative to know what audiences are saying in order to respond effectively.
• Stakeholders would be known and mapped – In a perfect world, the organization would have already clearly mapped out the stakeholders who need to be communicated to in the aftermath of a breach (employees, partners, board members, customers, law enforcement, Privacy Commissioners, industry regulators, insurers, and media). At the outset of handling a breach, the organization needs to determine who needs to hear what, and when, about what’s happened.

• A leak strategy would be developed – Leaks can come from several sources, including, but not limited to, the threat actors themselves, employees, competitors and/or reporters or social influencers. Situation-specific protocols would be established for when it is decided a leak is serious and has the potential to take away control of the communication and narrative. 
• The team would be nimble and prepared to pivot – The situation is dynamic and can change in an instant. The ideal team would be prepared to pivot on both approach and messaging as the hours, days, and weeks after the breach will bring new information – and challenges – to light. The team would also have a defined communications strategy around customer notification.

In the next installment of our Speaking on Cyber series, we chat with FHR President and expert crisis communicator, Angela Carmichael, to discuss how leaders can better communicate in the crucial hours and days following a cyber breach. Check back on the blog later this week for that.  

For more information on navigating a breach, visit the Canadian Centre for Cybersecurity. To protect your organization from unpredictable threats and cover your workforce devices and IoT, SaaS and email, consider deploying FHR client Darktrace’s self-learning cyber AI. To make sure your team is cyber security aware, train your employees using FHR client Terranova Security’s people-centric security awareness training.