As the United States was coping last week with air-travel chaos caused by a breakdown in an essential flight communications system, in Britain, the national postal system’s ability to send mail overseas was being taken down by a cyber incident.
As the United States was coping last week with air-travel chaos caused by a breakdown in an essential flight communications system, in Britain, the national postal system’s ability to send mail overseas was being taken down by a cyber incident.
Here in New Zealand, communication has emerged as the single most important factor to think about for organisations hit by cyberattacks and systems outages.
Last year, CERT NZ (Computer Emergency Response Team) received reports of more than 30 ransomware attacks and damages of almost $9 million in the third quarter alone. Some of the highest-impact attacks were on IT companies that worked with a multitude of clients and their databases.
Ransomware attacks are proliferating in NZ. No organisation is immune from a cyber-security incident as "bad actors" test and probe thousands of IT systems, from banks to health agencies and privately owned businesses. Recent attacks on webhosting and web design agencies have exposed their client databases to potential data theft and exposure.
How a business under attack responds and communicates with key stakeholders during a cyber-security incident will set the tone for its relationships for months to come.
While IT experts quickly get on with identifying the entry point and damage done to servers, the victim organisation needs to quickly organise its internal and external communications.
There are five critical actions businesses should consider in their response: call the experts, find out the facts, prioritise their audiences, keep the information flowing transparently during the recovery process, and provide regular updates to customers and suppliers.
Call the experts
The critical first step is to bring in the experts if your organisation has been hit by distributed denial-of-service (DDoS) or ransomware attacks.
These include forensic IT specialists to manage the software, legal support for liability and insurance claims, and public relations advisers to communicate to clients and the public to maintain your reputation and keep the business operating during the crisis.
Businesses in crisis are advised to keep a record and timeline of everything they do during the cyberattack – for debriefing after the incident, to support future risk planning, and for insurance or legal reasons.
If the action during the crisis is thick and fast, consider appointing one person to keep a record on a whiteboard as decisions are made and acted on in the incident room. Set up an incident room if there are multiple team members and you need a separate space to manage the issue.
Get your facts straight
Ensure the information you are giving is correct before communicating the details of the attack to your clients and suppliers.
It's important to work out what data has been viewed, encrypted or stolen before communicating anything, so you're giving the right information. This includes what services are down, what is safe outside the attack and what is still operating.
It's essential not to speculate or allude to actions that may or may not be true. Try not to downplay the impact if the facts of any data theft are still unknown.
Whether you have in-house resources or need a specialist agency, you will most likely need to draft emails to customers; statements for the media; talking points for phone calls to tier 1 customers or for staff meetings; FAQs, and media Q&As.
Prioritise your audiences
Communication during a cyberattack needs to be immediate and urgent so stakeholders get accurate information about the incident from you first and not from the media or by discovering it themselves when they can't access their data.
Set up a tailored crisis plan beforehand so the business is prepared and can put in place stakeholder communications as quickly as possible.
Even if services are locked or in the process of being rebuilt, customers will stick by a company if they're kept informed of the situation.
Identify key stakeholders who need to be told in the event of a cyber crisis. These include staff, customers, suppliers, directors, shareholders, funders, business partners and regulators.
Some will need to be informed more urgently than others, including your customer database, your staff, directors, the Office of the Privacy Commissioner, and CERT NZ.
In some cases, where there are many stakeholders, it's a good idea to break up the communications responsibility so one person liaises with the crisis team and formulates messaging. Others can do internal communications, customer communications, and keep suppliers and regulators informed.
This means every stakeholder is getting a consistent message and is told about the issue quickly, and nobody's missed.
Be transparent
In my experience, affected people will want to know what is going on as soon as possible, and frequent updates – even if they are not detailed – are better than keeping stakeholders in the dark.
As the incident progresses or escalates, companies may need to draft extra customer communications, website announcements and further detailed Q&As for customers and others. Long delays in communicating issues to key stakeholders are not advised.
Provide regular updates
Stakeholders will be looking for an indication of when they can expect systems to be back up and running.
Many will also be concerned about the release of their private information, such as identification documents and bank account details. As the incident progresses and changes, you must keep them up to date.
Most of the time, there is no definitive answer because it may take days or even weeks to rebuild servers, recreate databases, cleanse laptops and PCs and return all systems back to normal.
With cyberattacks more frequent than ever today, businesses are adapting to the changing times and futureproofing for these scenarios, with communication at the forefront.
Communication is key in times of crisis, especially when you're faced with a cyberattack.