How To React When Your Cyber Attack Goes Public

I’m so utterly in thrall to Netflix that I have a mild panic once I reach the end of the latest box set. Mercifully, that’s offset by the wave of relief when I find something new.

And so it was that, after eight blood-spattered seasons of Dexter, I stumbled upon Designated Survivor, in which Kiefer Sutherland plays a reluctant and under-qualified US president. He’s thrust into the role after the rest of the Government dies in a bombing on Capitol Hill during the newly- elected president’s swearing-in ceremony.

A few episodes later, the White House is the victim of a cyber attack. As the source of the breach is sought, the Chief of Staff frets over how to keep it quiet.

In real life, keeping unexpected events under wraps is a difficult balance between business protection and the transparency expected by clients and customers. My experience, though, is that if you’re a business of any repute or note, the truth has an inconvenient habit of finding its way out into the world.

That doesn’t mean you have to book a confessional prime-time ad. But if the breach is likely to have an impact on even a small group of customers, they have to hear it from you. The forthcoming GDPR regulations, which replace existing data protection rules, have specific obligations around reporting data breaches, so you’d be well-advised to speak to your lawyer about these.

More broadly, there are some golden rules. First, prepare for the worst. Most businesses will have some sort of resilience plans in place for fire, plant shutdowns, supply chain disasters – I’m willing to bet few have a data resilience plan, including examining risks in advance and media training spokespeople who can defend the company’s position.

If you have to put your hands up, there can be no half measures. You can’t tell a bit of the truth. Get on the front foot, before you’re asked, and give yourself a chance to control the message. Don’t allow yourself to be ambushed.

Simultaneously, you need to tell people what you’re going to do – or even better, what you’ve already done – to fix the problem so it can never happen again. They have to understand how seriously you take this, and any vague language or half-measures won’t provide the necessary reassurance.

Finally, be consistent. Look at every channel of communication available to you and make sure the message is consistent across all of them. Run communications from a central point and don’t have anyone – and it doesn’t matter how senior they are – going off and doing their own thing.

All of that said, there’s a simple truth about cyber attacks. If it happens to you, in whatever form, it’s going to hurt. If you can make sure your business has a plan which everyone understands, you can come out of a difficult issue looking like the good guys. Whether or not it’ll work for Kiefer I don’t know – I lost interest and started watching Line of Duty.

Bryan Garvie, director, marketing communications agency
Big Partnership