Supporting clients through crises is a big part of what we do, and in today’s landscape that means dealing with more than a few cyberattacks.
Cyber attacks are increasingly common, to the point where it’s not a matter of if your organisation will get caught up in one, it’s when. Third party attacks, where workplaces are compromised through service providers and other partners, are one example where people fall victim through no fault of their own.
In late 2022 and early 2023, we helped an organisation through one of the biggest cyberattacks ever seen in New Zealand. The lessons they learned align with our own experience of assisting various other clients through cyber crises of their own.
Whatever the nature of the attack and the circumstances around it, there are three key things organisations need to know.
1. The critical factor is preparation
Your ability to handle a cyberattack ultimately comes down to:
- How prepared you are
- Leadership and organisation in the moment
- The specialist expertise you have available, including in communications, IT, legal and other areas.
Points two and three loop back to the first. The inevitability of a cyber attack on your organisation means being prepared is fundamental. In the eye of the storm, you do not want to be starting from ground zero.
Preparation is required in two ways. First, as you would expect, ensuring your cyber security posture is fit for purpose (on this check out Alerts and Tips – Incident Response Solutions.
Second, and typically underestimated, is understanding who your audiences are (e.g. how up to date is your ex-staff database?), the roles and responsibilities of people involved in the response, which channels you’ll use and having tailored messaging templated and prepared.
Part of being prepared is running response simulations, so you can identify what works and what doesn’t. You can explore the concerns various groups are likely to have and get ahead of how to handle them.
While the response to the crisis will always depend on what’s happening in the moment, 90% of it can be prepared in advance.
2. You are first and foremost dealing with a people issue
One of the most confronting and underestimated aspects of a cyberattack is how troubling it can be on a personal level. It may present as a tech problem, but the human repercussions are far greater.
There are so many ways that our professional and personal lives overlap, and inevitably they’re invested in digital systems that can be accessed in an attack.
Having sensitive workplace and/or client data compromised is stressful enough, but it’s also highly emotional when you throw in the personal data of current and past employees.
On top of that, if the business is forced to stop operating for a period of time, or if there’s a risk of catastrophic reputational damage, then it goes to a level where people can fear for their livelihoods.
3. How you engage with your people determines the outcome
The way you engage and communicate with your various audiences needs to account for the human nature of these concerns. There’s a very good chance your style, tone and technical execution will be considerably different to the way you normally communicate.
The people affected by a cyberattack will not blame you for being caught up in it, but they will judge you on how well you handle it.
However you resolve it, the thing people will remember is how you made them feel throughout the process. You may even build trust, strengthen relationships and enhance your reputation!.
Learning from bitter experience can be a funny thing. We have taken these learnings and applied them, not only in the advice we give clients enduring their own cyber crises, but also to better inform how we run our own cyber crisis simulations.