How to communicate in the event of a cyberattack?

Cyberattacks are a reality for more and more organizations of all sizes and industries. These attacks can quickly lead to direct and strong reputational impacts, in particular through a loss of trust among partners (customers and suppliers) which can further aggravate the situation through a domino effect.

If a data leak accompanies the attack, the impact of opinion then becomes a major issue and can go so far as to damage the organization's brand(s).

This is why it is vital to integrate cyber crisis communication into the crisis management system to:

• Support internal teams when they advise impacted stakeholders (employees, customers, suppliers, authorities, etc.) as quickly as possible;
• Maintain or regain the trust of partners;
• Preserve the brand image by addressing impacts that will harm the organization through reputation (media, financial, legal, etc.).

Just as ANSSI (the National Cybersecurity Agency of France) deplores, the action of communicators is pushed into the background while the crisis communication strategy must be integrated into the crisis system from the first moments of the mobilization of a dedicated unit.

“We can’t not communicate. » Paul Watzlawick – Palo Alto School.

As P. Watzlawick, theoretician of information and communication sciences, recalled, non-communication has meaning and silences are interpreted. To master your crisis communication, it is essential to be an actor and not a spectator in order to be the bearer and guarantor of the messages conveyed. But what can we say when we ourselves don't know what exactly is going on?

Crisis communication must first indicate a posture. In the first moments, it is not a question of providing precise information but of indicating recognition and taking responsibility. It is always better for partners to learn bad news from the affected organization than through rumor or the press. Furthermore, reassurance about the mobilization of teams to restore services as quickly as possible is rarely something that is best kept to oneself.

Crisis communication must meet strategic needs. These needs are generally aligned with the operational impacts related to the cyber attack. Therefore, it is not about whether to communicate or not, but to whom and how.

Crisis communication must be in line with the institutional communication strategy of the organization under attack. Internal and external are the fundamental principles of institutional communication, but reality shows that the targets are numerous and that internal and external can be broken down into a multitude of different targets. This involves identifying them using stakeholder mapping and defining who is directly impacted, who risks being impacted over time, and who is not likely to be impacted but must be taken into account in the response strategy to avoid operational impacts due to a loss of trust (e.g.: provider of a critical service blocking flows for fear of a bounce attack).

For each of the target types identified, a channel manager who will be the voice of the organization should be assigned for this type of stakeholder.

In the event of a data breach, the organization's regulatory responsibility is to notify all known and potential victims. This obligation must be an opportunity to convey messages aimed at restoring victims' confidence and brand image.

Finally, the press can take up the subject. Journalists' investigations can be perceived as a threat to organizations, but if the media have been taken into account in the crisis communication strategy, it is then possible to rely on this media coverage to convey the posture of the organization.

Crisis communication must be in line with the institutional communication strategy of the organization under attack. Internal and external are the fundamental principles of institutional communication, but reality shows that the targets are numerous and that internal and external can be broken down into a multitude of different targets. This involves identifying them using stakeholder mapping and defining who is directly impacted, who risks being impacted over time, and who is not likely to be impacted but must be taken into account in the response strategy to avoid operational impacts due to a loss of trust (e.g.: provider of a critical service blocking flows for fear of a bounce attack).

For each of the target types identified, a channel manager who will be the voice of the organization should be assigned for this type of stakeholder.

In the event of a data breach, the organization's regulatory responsibility is to notify all known and potential victims. This obligation must be an opportunity to convey messages aimed at restoring victims' confidence and brand image.

Finally, the press can take up the subject. Journalists' investigations can be perceived as a threat to organizations, but if the media have been taken into account in the crisis communication strategy, it is then possible to rely on this media coverage to convey the posture of the organization.

The keyword is consistency. Information gaps between departments that could propagate within the organization or among its stakeholders are a vector of loss of trust. Who to believe when conflicting arguments are said? The information is not necessarily false, it may simply be outdated…

It is important to centralize the production of messages, language elements, and arguments. These elements must then be declined by the channel managers who are in direct contact with the targets before being validated by the crisis unit in the committee. It is essential to master the communications validation process to avoid wasting valuable time when the organization's posture is expected.

It is, therefore, necessary to rely on a robust and formalized organization ahead of the crisis to cope effectively and above all with the right tools.

The cyber crisis communication strategy must be part of a precise time frame. It can sometimes take days or even weeks to fully understand the extent of the attack. Once the attack pattern is fully established, the reconstruction of the information system often turns out to be a path strewn with pitfalls, and the recovery deadlines are constantly postponed. Finally, it is not said that the organization's data was not exfiltrated by the attackers, and then made public until several months after the attack.

The typology of cyber crises therefore makes the timing of communication delicate. It is important to keep your partners informed to maintain trust, but it is almost impossible to give clear commitments without having to go back on them because the situation has changed completely.

It is important to always refer to the strategy to define the need to communicate and notify stakeholders while remaining humble and careful. Excessive optimism for a rapid resumption of activity too often leads to setbacks during cyber crises, which risks further frustrating partners.

But when the need to communicate arises, it is generally already too late to start working on the language elements. This is long-term work that must begin as soon as the crisis unit is mobilized.

Transparency is the essential element in any crisis communication, essential to maintain (or reestablish) trust with the stakeholders affected by the compromise. Companies are well advised to communicate precisely about the nature, origin (remember that according to a report from Verizon, 83% of compromises involve external actors), extent, and severity of the compromise (what data, what systems are affected, for example), as well as the potential impacts of the compromise (in the short, medium and long term).

At this stage, Orange Cyberdefense supports companies with the aim of defining the formulation of the communication process. According to Romain Naïm “In order to prevent communication from impacting the victim company by disclosing, for example, the presence of vulnerabilities, it is essential to define who says what, to whom, how, and when. It is crucial that this communication strategy is aligned with the operational strategy. »

But this transparency must not turn against the organization which had the courage to adopt this posture. We must indeed be vigilant about the information disclosed so as not to reveal vulnerabilities in the information system which is already severely tested.

It is better to focus on the impacts and services that are restored over time rather than the exact causes that enabled the attack.

Although communication is not intended to address the direct consequences of a cyber attack, it can nevertheless help limit certain side effects such as damage to the company's reputation, for example. Factual, coherent, and targeted, the communication is intended to support the technical response in the event of a compromise. Developing a communications plan to deploy in case of a compromise is today a highly recommended practice. As ANSSI explains in its crisis communication guide, “a crisis communication strategy benefits from being built ahead of time”. Companies that have already carried out work to prepare their crisis communications can be more responsive and react more effectively if a compromise occurs.

As part of its cyber crisis management service, Orange Cyberdefense helps companies prepare, communicate, detect, and react to compromises, then rebuild and strengthen their infrastructures.