By Peter Coroneos (co-author)
When we looked at how 14 large organisations managed the fallout from a major cyber breach – the media coverage and public perception – what we saw was not pretty.
As the former head of Australia’s Internet Industry Association for nearly 15 years, I’ve struggled with the challenge of cyber security and cultural change. I’m assuming most organisations and Boards now accept the reality of cyber risk and is taking proactive steps to manage it. That is not the purpose of this piece. The communication aspect is. It may seem secondary, but the consequences can be far reaching, and public confidence and brand reputation difficult to restore.
We’ve witnessed large, well-resourced organisations handle post breach communication so poorly that stakeholder trust fractures as the savage media assessment bites. The backlash in some cases resulted in executive resignations, public inquiries and sustained loss in shareholder value. 6 of the 14 breaches were due to third party (supply chain) risk, yet blame-shifting did nothing to aid market forgiveness.
Naturally, one would hope that corporate external or internal PR and communication teams are all over this. However, we’d respectfully ask corporate leaders to reserve any conclusions to that effect in the light of one inconvenient fact. ALL of the organisations we’re talking here about had access to top PR advice and/or experienced communication professionals.
So shocking was their management of communication, we felt compelled to write what we believe to be the first ever cyber breach communication playbook for Boards. The decisions that Boards make when the entity is under cyber attack can be irreversible. Cyber attack, post breach communication, the ethics of disclosure and compliance under our new laws are inextricably linked. We conclude that cyber breach communication is (like cyber risk management) squarely an issue of governance. This is our primary message.
When the Obama Administration asked me to advise on how we implemented one of the world’s most successful malware mitigation schemes, I was happy to tell them the secret lies in establishing the business case. We had to convince America’s top ISPs and telco’s to embrace proactive measures that turned out to be a win/win for the providers and their users. Today, nearly 100 million US and Australian internet users are safer. That would not have happened had we failed to parlay practical measures into a sound communication strategy.
Just to be clear, we have no interest in fear mongering or overhyping the cyber threat. But we did want to provide clear guidance of a practical nature, so that if organisations are faced with say a ransomware demand, they have a decision making framework to help ask the right questions. And a communication strategy, sample statements for media and social media and an internal capability in place that is based on ethics, openness and maintenance of public trust. Our aim is to equip Boards with rapid and competent decision making power – asking the right questions is 80% of getting the right solution.
Our handbook for executive leadership and Boards is not technical, it’s pragmatic, easy to read and defines excellence at the governance level. The companion workshop builds pre-breach capability so companies are ready with pre-worked communications to get ahead of the story.
Seeing the likes of Uber, Target, the Australian Bureau of Statistics, etc so poorly handle the post breach communication was a real wake up call for me. These are big enterprises, obvious cyber targets, yet their knee-jerk reaction (based presumably on the advice of their PR and comms people) was to DELAY, DENY and DEFLECT. In the end they paid the price.
My co-author Michael Parker and I bring an unparalleled depth of experience and insight based on our respective areas of expertise – myself in leadership, cyber policy and governance and he in high stakes corporate communication.
In our primer, we cover emerging threats, the compliance landscape then give you two worked-through scenarios based on real cases, with sample communications and statements for the Board and CEO. We include a Board decision making framework for a ransomware attack. Detailed flow charts show processes to be undergone. The companion workshop develops process and content customisation for each entity's unique configuration and risk posture.
Our premise is that a major cyber incident is not a matter of if, but when. The challenge is how to get communications ready in advance, how you build a reservoir of trust you can draw on, and how to act and been seen to act in the best interests of those whose information you hold (employees and customers).