The importance of crisis communications in cybersecurity planning and incident response was cited several times at the Fraud and Breach Prevention Summit in New York last week. The event, organized by the Information Security Media Group, brought together several leading security experts and professionals to discuss trends and share best practices.
In recapping insights about communications from professionals who are at the forefront of cybersecurity, I thought it would be helpful to couple these with some perspective from our experience managing communications on several cyber crises.
As emphasized at the Summit, the role of crisis communications continues to be integral in preparing for, conducting training and responding to cybersecurity issues and incidents. This is largely because traditional and social media coverage and resulting fallout from a cybercrime can often be more damaging than the incident itself.
Richard Jacobs, special agent in charge of the Cyber Branch of the FBI New York Division, told Summit participants to have a high-ranking company executive, --preferably the CEO-- the chief information security officer (CISO), legal counsel and a public relations representative prepared to meet and collaborate with investigators after reporting a cybercrime.
Lisa Soto, a prominent New York attorney with Hunton & Williams, further advised Summit attendees to be prepared to bring in outside resources, including a PR agency, to assist with response.
Avoid Rank-and-File PR Professionals/Firms
We believe that public relations representatives need to have strong crisis communication experience and training, and an understanding of cybersecurity. A general PR professional or firm, that lacks this background, is ill equipped to effectively manage cyber-specific situations and advocate appropriately on behalf of the company with parties, including the FBI and third-party PR representatives.
We also advise organizations to take steps ahead of time to build a relationship with a crisis PR agency with experience in cybercrime. We recently received a call from a prospective client that was scrambling to find assistance literally as news was breaking. Because of a conflict with another client, we had to decline. It took the greater part of a day for this company to engage a crisis agency. As a result, the company was slower and less effective in their response resulting in a greater hit to their brand and reputation.
It is a prudent investment to engage a crisis firm on a small retainer to provide monthly check-ins, quarterly or twice yearly crisis plan updates, insights from industry crisis research as well as regular trainings. This retainer should include a negotiated rate to provide 24/7/365 response services for when the need arises. Additionally, you should consider hiring a firm outside of your day-to-day PR agency with language in the work agreement that designates that services are specifically for crisis communications. There is case law that supports this action providing a level of privilege akin to attorney/client.
Brian Harrell, who previously oversaw threat and risk analysis for North American power grid, made one of the most impassioned pleas at the Summit:
“Do you have talking points in your back pocket? Do you know what you are going to say? If not, you are not adequately prepared.”
Time is of the essence in a crisis situation.
The greater and more thorough the preparation, the better the outcome. While talking points are important, this is only one of many needed components. It is important to start crisis planning by identifying audiences, determining effective communication vehicles and developing consistent messaging and templates for each audience and cyber crisis scenario.
From our experience, it is also important for crisis communications to align with a “state of the art” incident response plan. While recently consulting with a larger, public company, we discovered they had separate plans for each function (IT and PR) that were not in sync. It’s important for all internal parties to be on the same page prior to executing incident and crisis communications response.
Not the same old messaging
There were a few speakers at the Summit, including Jennings Aske, CISO with New York Presbyterian Hospital, who emphasized the need for better messaging as part of crisis response. Our advice for accomplishing this is to use discretion in employing or regurgitating existing data breach messaging, forms, templates and language, which tends to be formulaic, impersonal and overly legal in content and tone.
In recently managing a social engineering case, we collaborated closely with a law firm experienced in cybersecurity to draft and revise copy to be more appropriate and colloquial while staying within legal perimeters to help avoid a class action lawsuit. This resulted in a better than expected response from impacted parties and a situation that fortunately did not spread to social or traditional media.
Practice makes perfect.
Several speakers, including David Pollino, deputy CISO for Bank of the West, emphasized the importance of regular tabletop exercises. Pollino advised basing these trainings on actual scenarios from recent news coverage in order to get executives to buy-in and think more critically about how to respond to possible threats.
We echo David’s advice and can’t emphasize enough the value of crisis trainings and simulations, which are invaluable in this and several other capacities, including testing and refining crisis communication plans and response procedures.
The theme of preparation was ubiquitous at the Summit. With cybersecurity threats and challenges becoming more acute and widespread, the need to employ a holistic approach to planning and prevention–including crisis communications—has never been greater. The presenters at the Summit underscored that the age-old adage “an ounce of prevention equals a pound of cure.” This applies to many facets of cybersecurity, especially communications.