The global ‘Wannacry’ cyberattack that targeted organisations in more than 150 countries, including the UK’s National Health Service, Nissan and FedEx has seen companies urgently revisiting their emergency management plans over the past few days.
Many will have turned to their list of emergency scenarios planned for and found no mention of Malware, Ransomware, Spyware or other malicious programs that can cripple a company’s computers.
This is despite Lloyd’s of London estimating the global economic cost of cyberattacks in 2015 was USD400 billion, emphasising the need for appropriate insurance cover. Reputational damage, which is harder to calculate, comes on top of that.
The first rule of cyberattack communication is to plan for it and expect it to happen. Most cyberattacks are not so-called zero-day events – exploiting weaknesses that no-one knew existed – but the result of weak processes.
The appropriate communication approach will be dictated by a company’s business, the actual impact and whether customers are affected. The response of an online customer service provider will probably be very different than that of a manufacturer.
A ransomware situation, where a company’s IT systems have been incapacitated and a demand for money to remove the problem has been issued, is comparable to a hostage situation.
Company leaders need to weigh up carefully the potential risks of over-communicating during such a crisis. Some faced with a relatively small ransom may opt pragmatically to pay it and move on, deciding not to report the problem while strengthening systems.
Cyber criminals who orchestrated the attack may be looking for evidence of the impact to encourage them and fine-tune their campaign before targeting others. Corporate leaders also need to be mindful that the situation can rapidly change. In the case of the recent ‘Wannacry’ attack a British cyber analyst discovered a weakness in the code of the virus that could prevent its spread to many more computers using a ‘kill-switch’.
For organisations that need to communicate externally, maintaining a calm and measured tone and communicating what the company is doing to secure IT systems or to retrieve information will help contain the response from stakeholders. Every company should have a basic stakeholder communication plan and protocol in place that anticipates the most likely crisis situations, including cyberattacks, and which can be adapted for specific situations.
Many companies do not do have this and lose valuable time and suffer unnecessary reputational damage when a crisis occurs. For example, having a response process that depends on sign-off by the chairman can cause corporate paralysis when this person is not contactable.