The frequency and severity of cyberattacks is increasing, with SMBs firmly in the sights of cybercriminals who consider them to be easier prey. According to Accenture, 43% of cyberattacks are aimed at small businesses with more than half having suffered at least one incident in the past year, but only 14% are prepared to defend themselves.
It’s no wonder, then, that a reported 60% of SMBs who have suffered a data breach go out of business within just six months. A contributing factor is the irreparable damage to their brand reputation, the loss of existing customers and the reduction in their appeal to prospects.
With so much at stake, it’s critical that every business is prepared for a worse-case scenario with a crisis plan. The very process of creating such a plan often highlights vulnerabilities which can be addressed but, should the worst happen, everyone will at least be clear about what needs to be done, by whom, how and when.
The plan needs to go beyond the technical with particular focus on communications with the myriad stakeholders any business has, including employees, shareholders, customers, suppliers, the media, regulatory bodies and the wider public.
Cyberattacks are so commonplace in the news that it’s not necessarily having suffered the incident that will be the biggest problem for a business. What they will be judged on, however, is how they’re seen to handle it and that depends upon the way they communicate about it with their stakeholders. Do it right, and business leaders can inspire confidence, but do it wrong and it can lead to a potentially catastrophic loss of trust and reputation.
Here are just some of the do’s and don’ts about communicating to help you ensure your business survives a cyberattack or data breach:
Do
- Prepare: create a plan for communications within the wider business crisis plan which pulls together representatives from all over your organisation including IT, Legal, HR, Office Services and Communications. Consider all sorts of incidents your business might face and prepare a response for each, so you know who should do what, when and how. Test the plan at least annually to make sure it’s robust and everyone has a chance to show how they will respond when the chips are down.
- Be clear about your stakeholders: make sure, as part of the plan, that you know all the audiences you should communicate with should an incident occur, how you’ll do it and the process for developing and signing off messaging.
- Get help: if your plan includes speaking with media, for example, either proactively or reactively, then make sure you get your spokespeople identified and appropriately trained. Consider whether to retain a PR or other communications agency to help you. If you have cybersecurity insurance, the provision of PR or wider communications support might be included – check your policy documentation.
- Be open and honest: make sure you communicate, especially with those directly affected, as quickly as you can. This is particularly important if you think Personally Identifiable Information (PII) was involved. You may not yet know the extent of the incident, but it’s ok to say so – at least you’ll have given them a heads up so they can make the right decisions to protect themselves. This is your chance to show empathy and make the right impression about your leadership.
- Notify relevant regulatory bodies: make sure you meet their requirements, for example, under the General Data Protection Regulation (GDPR).
- Prepare holding statements: ensure all spokespeople are aligned in what they’re saying. These statements can evolve as the position becomes clearer and you’re able to provide more details about the incident and your response to it.
- Consider creating a webpage containing all the information about what has happened and the action you’re taking and possibly even a telephone helpline.
- Test your plan regularly: maybe even working with external experts who will devise scenarios to really put your team through its paces so you can be sure they’ll be ready to handle any type of crisis should the need arise.
Don’t
- Fail to plan: yes, planning IS time-consuming and there are so many other things a business leader has to do but failing to plan will leave your business vulnerable and unable to handle a crisis effectively.
- Underestimate the risk: it’s not really a matter of if you’ll suffer a cyberattack or breach, but when. Make sure you’re ready.
- Get caught on the back foot thinking the news won’t get out and have no plan for dealing with the media or, worse, think a “no comment” comment will make them go away. It won’t. It’ll just make them think you’re hiding something. If an incident is serious enough, adverse media coverage can cripple your reputation in hours, possibly irretrievably.
- Wing it: your reputation is important. Invest in preparing, training and in practising through regular crisis exercise events so you can have confidence that you’re ready should the time come.
- Stop communicating: make sure you continue the dialogue with your stakeholders, even after the immediate aftermath of the crisis is over. Let them know what you’re doing not only to recover but also what you are continuing to do to minimise the threat of any recurrence. This visibility will help strengthen your credibility and build, or rebuild, trust.
In summary, it’s not just the technical ability to deal with and recover from a cyberattack or data breach which will make or break your business. It’s how you’re seen to do so and the way you communicate with relevant stakeholders.
If you don’t have in-house resources to develop a communications plan, then talk now with other organisations who may be able to support you. It may involve cost, but when compared with the potential for such catastrophic reputational damage that your business is one of the 60% who can’t survive beyond six months, then this might just be a smart investment.