Crisis or Catastrophe?

How you respond to the first determines if you’ll avoid the second. Crisis communications specialist Wendy May talks us through the do’s and don’ts

Read the article

Share this story

Read Time: 4 minutes

With cyberattacks likely to impact on most businesses at some point, we spoke to Wendy May, a crisis communications expert, about what to do if that fateful day arrives.

The frequency and severity of cyberattacks is increasing, with SMBs firmly in the sights of cybercriminals who consider them to be easier prey. According to Accenture, 43% of cyberattacks are aimed at small businesses with more than half having suffered at least one incident in the past year, but only 14% are prepared to defend themselves. 

It’s no wonder, then, that a reported 60% of SMBs who have suffered a data breach go out of business within just six months.  A contributing factor is the irreparable damage to their brand reputation, the loss of existing customers and the reduction in their appeal to prospects. 

With so much at stake, it’s critical that every business is prepared for a worse-case scenario with a crisis plan.  The very process of creating such a plan often highlights vulnerabilities which can be addressed but, should the worst happen, everyone will at least be clear about what needs to be done, by whom, how and when.

The plan needs to go beyond the technical with particular focus on communications with the myriad stakeholders any business has, including employees, shareholders, customers, suppliers, the media, regulatory bodies and the wider public.

Cyberattacks are so commonplace in the news that it’s not necessarily having suffered the incident that will be the biggest problem for a business.  What they will be judged on, however, is how they’re seen to handle it and that depends upon the way they communicate about it with their stakeholders.  Do it right, and business leaders can inspire confidence, but do it wrong and it can lead to a potentially catastrophic loss of trust and reputation.

Here are just some of the do’s and don’ts about communicating to help you ensure your business survives a cyberattack or data breach:

  • Prepare: create a plan for communications within the wider business crisis plan which pulls together representatives from all over your organisation including IT, Legal, HR, Office Services and Communications. Consider all sorts of incidents your business might face and prepare a response for each, so you know who should do what, when and how. Test the plan at least annually to make sure it’s robust and everyone has a chance to show how they will respond when the chips are down.

  • Be clear about your stakeholders: make sure, as part of the plan, that you know all the audiences you should communicate with should an incident occur, how you’ll do it and the process for developing and signing off messaging.

  • Get help: if your plan includes speaking with media, for example, either proactively or reactively, then make sure you get your spokespeople identified and appropriately trained. Consider whether to retain a PR or other communications agency to help you. If you have cybersecurity insurance, the provision of PR or wider communications support might be included – check your policy documentation.

  • Be open and honest: make sure you communicate, especially with those directly affected, as quickly as you can. This is particularly important if you think Personally Identifiable Information (PII) was involved. You may not yet know the extent of the incident, but it’s ok to say so – at least you’ll have given them a heads up so they can make the right decisions to protect themselves. This is your chance to show empathy and make the right impression about your leadership.

  • Notify relevant regulatory bodies: make sure you meet their requirements, for example, under the General Data Protection Regulation (GDPR).

  • Prepare holding statements: ensure all spokespeople are aligned in what they’re saying. These statements can evolve as the position becomes clearer and you’re able to provide more details about the incident and your response to it.

  • Consider creating a webpage containing all the information about what has happened and the action you’re taking and possibly even a telephone helpline.

  • Test your plan regularly: maybe even working with external experts who will devise scenarios to really put your team through its paces so you can be sure they’ll be ready to handle any type of crisis should the need arise.
  • Fail to plan: yes, planning IS time-consuming and there are so many other things a business leader has to do but failing to plan will leave your business vulnerable and unable to handle a crisis effectively.

  • Underestimate the risk: it’s not really a matter of if you’ll suffer a cyberattack or breach, but when. Make sure you’re ready.

  • Get caught on the back foot thinking the news won’t get out and have no plan for dealing with the media or, worse, think a “no comment” comment will make them go away. It won’t.  It’ll just make them think you’re hiding something. If an incident is serious enough, adverse media coverage can cripple your reputation in hours, possibly irretrievably.

  • Wing it: your reputation is important. Invest in preparing, training and in practising through regular crisis exercise events so you can have confidence that you’re ready should the time come.

  • Stop communicating: make sure you continue the dialogue with your stakeholders, even after the immediate aftermath of the crisis is over. Let them know what you’re doing not only to recover but also what you are continuing to do to minimise the threat of any recurrence. This visibility will help strengthen your credibility and build, or rebuild, trust.

In summary, it’s not just the technical ability to deal with and recover from a cyberattack or data breach which will make or break your business.  It’s how you’re seen to do so and the way you communicate with relevant stakeholders.

If you don’t have in-house resources to develop a communications plan, then talk now with other organisations who may be able to support you.  It may involve cost, but when compared with the potential for such catastrophic reputational damage that your business is one of the 60% who can’t survive beyond six months, then this might just be a smart investment.

Wendy May, Director at Commverse Communications, has more than 25 years’ multinational experience in corporate communications, focused on both internal and external audiences.

Specialising in crisis and change management, she provides strategic and hands-on support to clients across a variety of industry sectors, including financial services, cybersecurity, and travel and tourism.

Wendy is based in Hampshire and, if you’d like to learn more about how to manage a crisis, click here and we’ll put you in touch

User Rating
Rate the Article

Click the link below to rate this article

Rate this article
Have you also seen...
Test your Email Security Now

This tool tests if your email server is correctly configured to stop common threats.

Learn more
Remote working ‘Must Have' Technologies

90 days no cost, no commitment, no fuss technology deals for remote working quick wins

Learn more
Forrester predictions 2023

Get your free Predictions 2023 Guide.

Learn more
Bright Security - Web Application Security: Top Threats and 6 Defensive Methods

Top Threats and 6 Defensive Methods

Learn more
Teams: the one-stop IT app

The one-stop IT app

Learn more

Mitigating risk from endpoint apps

Learn more
About Libraesva

An email content gateway solution ESVA – Email Security Virtual Appliance – won the Computing Security Award as ‘Antispam of the Year’ solution 2014-2016

It was recognised by the prestigious Virus Bulletin as one of the best and effective systems of protection and analysis of email content, Libra ESVA was selected by Securefort to address email security in the SMB sector.

Learn more
You can’t protect what you can't see!

30 days no cost, no commitment, no fuss technology deals for remote working quick wins:

Learn more

We're a community where IT security buyers can engage on their own terms.

We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.

Other articles in this category
Personal Protection Workplace

CIO, Shaun Mackay considers the personal protection of people in the workplace

Wednesday, August 05, 2020
Cybersecurity Glossary

Wednesday, June 10, 2020
GDPR and Covid 19

ICO changes respond to new landscape.

Wednesday, May 13, 2020
Four steps to smart tech buying for SMEs

Helping SMEs buy tech with confidence

Friday, June 01, 2018
The right start for start-ups - three top tips for buying tech

Three top tips for buying tech

Wednesday, June 06, 2018
LenovoPRO for SMEs - because your business is worth it

Because your business is worth it

Friday, February 01, 2019
Forrester predictions 2023

Get your free Predictions 2023 Guide.

Sunday, October 30, 2022
Interested in what you see? Get in touch, and let's start a conversation Get in touch