Cyberattack: Communication Planning is Essential as Threats Increase
Cyberattacks are occurring with alarming frequency. Public agencies are no exception to these attacks and must have a communications strategy when the inevitable happens. According to Security magazine, more than 2,000 attacks occur daily on public and private organizations. Are you next?
For those in the water world, you might already know that in May, the United States Environmental Protection Agency warned that cyberattacks targeting water utilities across the country have increased in frequency and severity, most often involving threats from Iran and China.
Almost 75% of water systems inspected by the EPA don’t fully comply with security requirements in the Safe Water Drinking Act, such as default passwords that haven’t been updated and single logins that can easily be compromised.
However, this issue goes beyond just water—it impacts public schools, other utilities, and even our cities and counties, affecting the entire public sector.
Think about what can happen if a cyberattacker seizes control of your data and your systems, whether it’s theft and public release of information or a ransomware hostage situation. Customer information, billing and payment systems, human resource and payroll records, legal documents, gate/door/elevator access and countless other systems can go offline or become inaccessible in an instant.
Communications is at the top of a successful cyberattack response – along with a clear pre-crisis understanding of your vulnerabilities – and agency communicators are just as important as those who investigate what happened and restore services. Cybersecurity experts consistently note three essential communications guidelines:
- Openness with those affected
- Transparency in explaining what happened
- Honesty about the attack’s scope
Sadly, those tenets are frequently missing from cyberattack responses, and bad situations are made worse by a communications vacuum, rumor, innuendo, and fear.
Your stakeholders – internal and external – will express a range of feelings, including outrage, disappointment, worry, and confusion…and will ask pointed questions. Are my utilities safe and secure? How did you let this happen? Is my financial information impacted? How are you going to get service re-started? When will things be back to normal?
Here is a baker’s dozen ways your agency can prepare for and communicate effectively in an attack:
- Know Your Exposure – meet with your information management staff and department heads for an in-depth and brutally honest discussion about your agency’s cyberattack vulnerabilities; walk through your treatment plants and other facilities and ask operations staff what could happen if they’re compromised
- Keep Prodding – communication is one of the most important elements of a viable cyberattack response, and as an agency leader (whether elected/appointed or staff) your input must be part of the response, even if it means sometimes being a pest; continually ask tough questions about the attack’s scope and recovery progress
- Prevent an Attack From Happening – craft an education program for staff centered on spotting phishing and other attack triggers in personal and work email accounts
- Highlight the Risk – ensure that staff understands the potential damage to your agency and those you serve, recovery costs, and the hit to your credibility when information is stolen or held hostage
- Focus on New Hires – include cybersecurity in onboarding materials and briefings, and emphasize your agency’s commitment to the protection of its information
- Plan Your Response – make sure your emergency response and crisis communications plans include cyberattacks; don’t forget about your staff, which will be affected in many ways
- Identify Your Team – chaos will likely ensue when you’re attacked, and you’ll need to immediately gather your designated crisis response team, including local government, regional cybersecurity, FBI, DHS, Secret Service, and other partner agency contacts; pull your team together and build relationships now, as you won’t have time when the attack hits
- Anticipate Outrage – your stakeholders will be angry and confused…and communicating with heartfelt empathy will help you tell your agency’s response story more effectively
- Prepare for Questions – though each attack is different, you can begin drafting your answers to questions you’re most likely to be asked by your stakeholders and the media and then modifying as necessary when you become a victim; identify your attack-related spokesperson and train them for a high-visibility response
- Create Response Documents – develop cyberattack holding statements, pre-prepared social media posts, news releases, and staff communication scripts that are written in plain language and can be deployed quickly; also include backup protocols to distribute information if your traditional systems are compromised
- Learn from Attacks on Other Agencies – media coverage and public reaction will be similar to what you’ll face; identify what went well and what could have been more effective
- Train Your Staff – conduct regular training sessions, tabletop exercises, and other preparedness drills across all agency operations; these activities create muscle memory and establish an ideal state of preparedness
- Clarify Policy Leader Responsibilities - members of your governing body may want to communicate directly with your customers, and their training should focus on the importance of only posting verified information, their role during a cyberattack, etc.
Don’t forget to tell your resiliency story whenever possible. Your stakeholders expect you to anticipate bad things, and you can increase confidence by noting your challenges, highlighting what you’re doing to keep information safe, and committing to honesty when something happens. You have a variety of tools to build confidence, such as scheduling a policy leader update, holding customer and staff forums, spurring an online discussion, and pitching a media story. The more you focus on cybersecurity, the less likely you are to become a victim.
Sheri Benninghoven and Scott Summerfield are principals of California-based SAE Communications and has provided communications counsel, media relations, and Joint Information Center management for many of California’s most challenging recent disasters and crises of confidence issues. Maurice Chaney is Public Information Officer for Roseville Environmental Utilities, responsible for communications strategy for a suite of utilities in the fast-growing community. All three authors are recipients of the California Association of Public Information Officials (CAPIO) Paul B. Clark Award for lifetime contributions to the profession.