The increasing number of cybersecurity-related incidents across all industries around the world has put cyberattacks firmly on the media agenda.
Understandably, much of the focus is almost always on what businesses can do to safeguard themselves from cybercriminals or what a cyberattack victim should have done to prevent it.
But, it’s also crucial to take into consideration how businesses should deal with media and stakeholders following a cyber incident, according to Allan Bonner, cybersecurity author, a member of the board of governors for the MacKenzie Institute, and one of the panellists at ITWC’s MapleSEC virtual conference.
Not registered for MapleSEC yet? Do it now!
“Martial artists say the difference between injury and death is mere inches. It’s between the solar plexus and the ribs. Then the difference between injury and laughing at your opponent is another couple of inches because a kick or block will miss your body. That’s crisis response,” Bonner said during his presentation. “You have to act fast and know what you’re saying.”
Here are some of Bonner’s answers to common questions around crisis management, as well as important steps to take to effectively handle reporters during and after a cybersecurity breach.
When do I respond?
Bonner says response begins in the first hour itself. “If you’re not in front of this in the first hour or making good headway in the first hour, you may stay behind the eight ball forever.”
You ought to ask yourself the following questions:
Do you have insurance or was your insurance sold to a reinsurance company or retrocession company?
What will the public perceptions be of you and your organization?
What will be the legislative and regulatory response?
What’s going to happen days, weeks and months from now?
What response requirements do you have, meaning what legislation in your jurisdiction requires you to notify people and how quickly?
“You must communicate to the media in the way they want to be communicated with otherwise your news is not going to make the news.”
What should my communication include?
Bonner says your communication should include simple, clear messages that are audience-centred and comprise real and tangible goals, all of which shows that you care.
“Show progress, hold the CEO in the chairs and reserve until you really need them, take your critics seriously, and keep an eye on the legislative and regulatory process.”
You must make sure your message is easily accessible as that will cut down the phone calls and phone messages that you have to deal with, according to Bonner.
When a reporter calls, don’t just start talking. Pause, think, and take down your name and number. Find out if or not it’s a legitimate reporter, and then ask what section of the paper it is for, if there are other people the reporter is interviewing, and understand what the focus is, says Donner. This will help you understand what you are getting into.
Send data by email as this helps influence the kind of questions that a reporter is going to ask. Remember, if you’re on television or in a public meeting, body language is about 50 to 75 per cent of your impact. Keep it simple. “Grade 12 is the average education in Canada, roughly…so speak at the grade eight level,” he says.
Off the record doesn’t exist, Bonner says. And asking for questions ahead of time from the media is “amateur hour.” Be prepared.
— Alex Coop (@ItsJustAlexCoop) October 5, 2020
I want to speak to reporters and stakeholders but can’t because of serious legal reasons or because you would be fined to do so while you are under investigation – what do I do?
Take a look at the size of the fine and weigh that against your reputation and how long it’s going to take the regulatory process to be over with, and ‘you might want to speak’.
What to do when being interviewed during dire times and feeling nervous or guilty
Those fears mostly wash away with a clear message to communicate to reporters and your stakeholders, says Bonner. Try and learn more about your organization in order to get rid of that nervousness. “You must speak the way the media writes and speak,” says Bonner. “Say what you know for sure, what is positive, what is the official organizational view, what is a clear and lucid explanation, and what is your delegated responsibility to speak.”
In fact, he developed a business system, dubbed SOCKO (Strategic, Overriding, Communications, Knowledge, Objective), to help people or businesses get rid of that nervousness through rehearsal.
“A SOCKO system is something that you can develop long before you have a breach so that you can line up all your SOCKOs or messages or who you on one side of a piece of paper, and line up the questions that you might be asked on the other, and see how do you get from one side to the other,” Bonner explains. It is important that you use the space you are given. “If you don’t talk or have an excellent message, it gives over more time for your critics, and that is a key reason why you should pre-write your SOCKOs.”
You can learn more about the SOCKOs system here.