I’ll be honest, March 2020 was the wildest time in my professional life. After a certain number of years in this industry—and certainly after the navigating the early days of a pandemic—you really do feel ready for anything.
Working at an agency, you run across your fair share of crises: a shakeup of senior leadership, or in the worst case, an employee injury or death. Each industry has a pretty good idea of risks associated with their work and can plan how to respond to those situations. For example, if you’re doing crisis communications for a financial institution, you probably don’t need to have holding statements( AKA an initial response to stakeholder inquiries) drafted to respond to a food contamination crisis.
The threats that keep me up at night are those that span all industries. The ones where no one is immune to the risk, like the Coronavirus pandemic. That’s how I classify a cyber security attack. No industry is safe.
For much of my career, a cyber security threat was limited to healthcare and financial institutions; the people who hold delicate information that we, as consumers, want to stay and secure. Those days are long behind us, and a cyber security crisis can happen to anyone. From government and infrastructure to retail and hospitality, having a cyber security response plan is a must.
My biggest piece of advice for navigating any crisis, but especially cyber security, is to PLAN AHEAD. Even if you don’t think it will happen to you. Even if you think you don’t hold any important data. The more preparation you can do beforehand allows you to strategically execute your response with a calm, collected demeanor and reduces the likelihood of making an emotional decision in the moment.
Crisis Communication Planning
Step 1 of planning ahead is determining key organizational leadership that should be included in the real-time decision-making process. Your war room, as I like to call it, should be comprised of individuals from the following areas of your business:
– Legal advisors
– IT leadership
– Senior leadership
– Communication team leadership
– Human resources
Prepare this team ahead of time. If possible, run a simulation or tabletop exercise to make sure your response can be timely and effective. Make sure you have key policies in place long before a crisis ever occurs. I recommend making sure your breach response policy, spokesperson policy and social media policy are up-to-date and specific enough to respond to a cyber-attack.
Key Message Creation
Strong, direct messaging is key to clearly and effectively communicating with your audience. We recommend putting together a message matrix that focuses on key talking points supported by facts or anecdotes that better tell the story. Using the message matrix as a guide, statements can be created that are designed for:
– Initial and ongoing communication for:
- Employees/internal stakeholders
- Shareholders/investors
- Customers/clients
- Media
– Statements of impact
– Recovery efforts
– Reconciliation plan
Notification Delivery
After the creation of strong messaging, delivering that message to those most impacted is of utmost importance. As with any communication, you should focus your efforts on meeting your audience where they’re at. This time, you have to place a high priority on delivering that message safely and securely.
– Notification should be made to:
- Employees
- Customers
- Shareholders
- Investors
- FBI
– Notifications can be sent via:
- Phone/Text
- Intranet
- Holding Statement/Press Statement
- Letter
- Online Portal
We get that knowing where to start can be tricky. Don’t hesitate to give us a call – we’d love to chat.
