Communicating During a Cyberattack: The Next Public Information Frontier
by Scott Summerfield, Principal, SAE Communications
California is in the midst of one of its most crisis-filled periods on record, and it seems as if we’re perpetually managing fires, mudslides, drought, and more – at the same time we’re focused on community resiliency. But one “crisis of confidence” lurks within every local government agency and has the potential to cripple operations and destroy public confidence – cyberattack.
Local agencies are a favorite target since we often haven’t created safeguards. Think about what can happen if a cyberattacker seizes control of your data and your systems, whether it’s theft and public release of information or a ransomeware hostage situation. Resident/customer information, billing and payment systems, 911 dispatch, human resources and payroll records, legal documents, traffic controls, and countless others can go offline or become inaccessible in an instant.
Your network and systems are only as strong as their users, and most attacks are the result of staff members inadvertently clicking on a dangerous email rather than organized internal or external system breaches. Suddenly your most-sensitive information is open to the world, with your stakeholders blaming you for allowing it to happen.
How much risk do we face? A few numbers from last year tell the story:
- $8 billion in damages caused by ransomeware
- 3 billion records leaked or stolen
- $8 million average cost of a US data breach
The risk is clear. Our responsibility is to reduce it through effective communications.
We recently were invited to participate in an IBM Security Cyber Range simulation in a Cambridge, MA facility designed specifically to help organizations recognize what happens when cyberattackers strike. Along with a small group representing some of the world’s largest financial and insurance services companies, we experienced how a cyberattack unfolds and how to manage the media response. Using a broadcast TV studio, a social media simulation platform, and other eye-opening resources, IBM’s experts stressed that we must consider our actions to be a business response tied to a security culture, not a technology response. And communicators are a vital part of keeping our businesses – our agencies – operating in the wake of an attack.
Communications is at the top of a successful cyberattack response, with our role just as important as those who investigate what happened and restore services. Cybersecurity experts consistently noted three inviolable communications guidelines:
Openness with those affected
Transparency in explaining what happened
Honesty about the attack’s scope
Sadly, those tenets are frequently missing from cyberattack responses, and bad situations are made worse by a communications vacuum, rumor, innuendo, and fear.
Your stakeholders will express a range of feelings – outrage, disappointment, worry, and confusion – and will ask pointed questions. How did you let this happen? Are my kids safe? Is my credit impacted? How are you going to get services re-started? When will things be back to normal?
The City of Atlanta has budgeted nearly $10 million to recover from its recent ransomeware attack which shut down most City operations for two weeks. Considering the attackers’ first request was for about $50,000 and the City had warnings for several months before the attack, we have a lot to learn from how this crisis was handled and how it could have been prevented.
Check out this list of Top 10 tasks to prepare for and respond to an attack:
- Know Your Exposure – meet with your information management staff and pertinent department heads for an in-depth discussion about your agency’s cyberattack vulnerabilities
- Be a “Nudge” – communications is one of the most important elements of a viable cyberattack response, and you must be part of the core response team, even if it means sometimes being a pest
- Prevent An Attack From Happening – craft an education program for staff centered on spotting phishing and other attack triggers in personal email accounts; this behavior will carry into the workplace
- Educate Your Staff – highlight the risks to your agency and those you serve, potential costs, and the hit to your credibility when information is stolen or held hostage
- Focus On New Hires – include cybersecurity in orientation materials and briefings, and emphasize your agency’s commitment to the protection of its information
- Plan Your Response – make sure your crisis communications and emergency response plans include cyberattack
- Identify Your Team – chaos will likely ensue when you’re attacked and you’ll need to immediately gather your designated crisis communications response team, including your local FBI and other partner agency PIO contacts; pull your team together now, as you won’t have time when the attack hits
- Anticipate Outrage – your stakeholders will be angry and confused…and communicating with heartfelt empathy will help you tell your agency’s response story more effectively
- Prepare For Questions – though each attack is different, you can begin drafting your answers to questions you’re most likely to be asked by your stakeholders and the media and then modifying as necessary when you become a victim
- Create Response Documents – develop cyberattack holding statements, pre-prepared social media posts, news releases, and staff communication scripts that can be deployed quickly
Oh…and don’t forget to tell your resiliency story whenever possible. Our stakeholders expect us to anticipate bad things, and we can increase confidence by noting our challenges and highlighting what we’re doing to keep information safe. Pitch a media story, schedule a policy leader update, hold community and staff forums, or spur an online discussion. The more we focus on cybersecurity, the less likely we are to become victims.
We all know that good planning is the foundation for a good response. With just a bit of effort, communicators can compel our agencies to take the necessary steps to keep us safer when the data thieves pay us a visit.