The unending parade of high-profile cybersecurity compromises has put every business on notice – but even if you’ve filled your ranks with expensive cybersecurity specialists, do the rest of your executives know how to manage the communications side of a breach response?
If you’re like many of the companies Jonathan Englert has worked with, the answer is a resounding ‘no’ – and it can easily become a big problem.
Trained in the ways of governance, transparency and compliance, many business executives rush to immediately share information about a breach – and end up creating a narrative that is inaccurate, or damaging to the company’s reputation, or both.
Englert – a strategic consultant and communications professional who founded ‘lean and scalable marcomms’ AndironGroup in 2014 – recalls working with a company that suffered a “fairly large breach” years ago.
Seeking to control the conversation about the breach, he told Information Age, the client’s non-technical external PR agency “allowed a really lame story to circulate, that the hack had happened because of the failure of antivirus software”.
“No tech journalist is ever going to say, ‘that’s totally legit’,” he said. “If you’re blaming antivirus for what happened, then you really don’t have good security.
“If the vector is that lame, you really ought not to talk about it – and you’re making an argument for future vulnerabilities because you won’t be able to fix things fast enough to protect the rest of your business.”
Who ya gonna call?
Years of massaging companies’ incomplete and problematic responses into something more effective have been “an eye-opener”, Englert said.
“What I found was that most business folks – including the board, CEOs, and leadership – are so focused on the operational stuff, revenue and growth and all that, that they struggle to conceptualise the risks, like the cyber risks.”
Crisis response is often handballed to lawyers but “there’s this tension”, Englert said, “because lawyers are not necessarily great communicators.”
“A lawyer’s job is to reduce risk around regulatory infringement and breaches, but sometimes they come in with a pretty uneven hand in terms of communicating with customers.”
After four years of quietly supporting government and corporate clients through all manner of cybersecurity incidents, Andiron has bundled its collective expertise into a service called Redphone.
Redphone provides 24x7 access to a crisis communication response team focused on a ‘health of organisation’ approach that, Englert says, is “basically the opposite of applying the standard narrow crisis lens”.
Aiming to “discipline the response and maintain adequate transparency without amplifying it incorrectly,” Englert said, the Redphone team – and a “larger ecosystem of folks with cyber forensics, crisis response and other skills” is ready to step in as soon as a company feels it has been breached.
This approach “integrates with the board and leadership,” he said, “to support them during a time in which business leaders and board members not only fear for the wellbeing of the organisation, but their own personal liability.”
Improving SME response
Given that a recent Cynch Security study found that 40 per cent of small businesses have had a direct experience with a reportable cyber incident in the past 12 months – and that 19 per cent of Australian small businesses spent nothing on cybersecurity in the previous 12 months – SMEs need all the help they can get.
The Australian Cyber Security Centre (ACSC), for one, this year launched a pilot program that will develop SME response templates by helping a group of SMEs improve their cybersecurity practices.
Such guidance will be crucial in helping businesses of all sizes keep up with rapidly-changing regulatory requirements such as APRA’s CPS234 policy; the prevalence and success of business email compromise (BEC) attacks; and new pressures around deciding whether or not to pay ransomware criminals.
Such decisions must be made faster than ever: the UK’s notifiable data breaches policy, for one, requires companies to report a breach within 72 hours – increasing the pressure to quickly create a narrative for customers, investors, and partners.
In the UK, Englert said, “if you basically get a whiff of an idea that you’ve been breached or you’ve had an issue, you have to disclose it and you may still not know what it is.”
Absent detailed and accurate information, Englert said, ineffective, incomplete and potentially damaging public messaging is all too common.
As a result, executives and insurance companies “are often caught footing the bill with near-zero visibility over the effectiveness of the methods used.”
“A lot of communications isn’t about media,” he explained. “It’s just about letting people know, evenly, what has happened.”
“We’re not competing with the lawyers, but it’s more of a disciplining and rationalising of the response.”