10 steps to prepare to communicate about cyber incidents

By Ben Overlander

Communicating around cyber incidents can fill even the most seasoned of communications professionals with fear. According to recent research by Regester Larkin, almost half of communications teams feel unprepared to communicate about them. A good communications response to a cyber incident is critical to protecting reputation and minimising subsequent commercial impacts such as a loss of customers or intellectual data.

Regester Larkin director, Ben Overlander, shares 10 steps to help organisations prepare to communicate confidently about cyber incidents.

1.Understand what data your organisation holds and identify the legal,
regulatory, operational and reputational risks a breach would cause.

2. Identify which regulators you would need to communicate with in a cyber
incident. Develop relationships with them in peacetime.

3. Develop draft materials for how you would communicate detailed technical
information to non-technical audiences.

4. Map the key stakeholders you would need to communicate with and the
most suitable channels. Consider the implications of an IT outage.

5. Media train potential spokespeople specifically against cyber incidents.
Ensure they can speak confidently about cyber issues.

6. Engage senior leaders and agree how your organisation would approach
the difficult challenges around a cyber incident:

  • Would we proactively communicate?
  • How would we respond to a ransom attempt?
  • Do we apologise if it’s not our fault?

7. Write a list of questions you would need to ask your IT colleagues in a
cyber incident.

8. Develop a cyber playbook or toolkit documenting all of the above.

9. Engage with your IT colleagues so they are familiar with your plans.

10. Rehearse the communications response to a cyber incident through a
crisis exercise.

Read 7 tips for cyber exercises.

Building your data breach response capability

By Dominic Cockram

Cyber%201“Spectacular achievement is always preceded by unspectacular preparation” (RH Schuller) is a great adage in the crisis management arena and applies equally in the cyber readiness world. Our experience in both preparing our clients for cyber response and supporting them during cyber incidents has highlighted some key areas and lessons: Continue reading

Top Tips for successful Business Continuity planning

By Andy Cuerel

Business Continuity Management Systems (BCMS) encompass comprehensive and often detailed suites of activities. Comprehensive, however, does not equate to incomprehensible. And detailed should not be a euphemism for over-engineered.

Consideration of the following should help keep your BCMS lean, mean and fit for purpose! Continue reading

Engaging the top team in crisis preparedness

Crisis-Management-Insights-Survey-2015-011.pngChief executives, managing directors and other senior business leaders are failing to engage fully in crisis preparedness and risk undermining their organisation’s ability to manage crises, according to Steelhenge and Regester Larkin’s latest crisis management survey.

The survey of 170 large companies from 27 countries revealed that big business understands the need to prepare for a crisis, with 86 per cent of respondents owning a crisis management plan, 59 per cent carrying out crisis training and 68 per cent conducting crisis exercises at least annually. It is clear that crisis preparedness is high on the agenda. Continue reading

Seven tips for cyber exercises

Cyber%201By Dominic Cockram

Cyber attacks will continue to threaten business operations in 2016, with many commentators claiming that this year we could see ‘the big one’.

Organisations are increasingly focused on understanding the impacts a cyber attack could have on their operations and reputation. Many are now using cyber scenarios in their crisis exercises to test and validate their assumptions on how they would respond and reflect on the unique challenges a cyber attack could bring.

The exercises range from fully immersive simulations, that develop and build competence and confidence, by allowing a realistic replication of the pressures, issues and uncertainty, to desktop sessions, that provide leadership teams and broader management the opportunity to familiarise themselves with the nuances of a cyber response such as the awkward language and reporting processes.

Having run a large number of cyber exercises over the last 18 months, I thought it would be useful to share some of the common lessons.

Continue reading

‘Strategic’ and ‘operational’ resilience – establishing more comfortable bedfellows

Untitled-1By Dominic Cockram

The more I hear of the current discourse on organisational resilience, the more uncomfortable I find myself feeling.

The concept has been around for a long time and was brought sharply into focus in 2014 by the British Standard, BS 65000: Guidance on Organisational Resilience. As one of the editors, I was party to vivid and lengthy discussions and much positive disagreement as we ranged around the topic of organisational resilience, what it meant and how best to set it out in a standard. In the end, what came out was a ‘Guidance’ and that was an excellent result. Resilience is a complex and many faceted concept and it would have been wrong to go too far in framing an approach at this stage.

Continue reading

TalkTalk: The twists and turns of the cyber crisis continue

iStock_000006935624_LargeThe story of the TalkTalk cyber crisis and the company’s response continues to unfold as we saw inevitable outrage over the week-end with stories galore of customers with “potentially hacked bank accounts” raising a whole new raft of rumours, heating the debate and breeding more noise about what might have happened and just how great the impacts may be.

The story was moved by the CEO (quite cleverly) to the broader focus of “cyber risk is a wider problem the UK needs to face up to and address” with calls for more Government support to tackle cyber crime.  A fair appeal and one raised by me in my earlier blog – regulation and control or assurance in this domain is very much required –  even though challenging to apply in a reasonable manner. Continue reading

Talk Talk – a network hack by any other name

talktalk-cyberattack-hack-bank-card-detailsTalkTalk is the latest in a long line of high profile businesses to undergo a ‘cyber attack’ as they call it.  A real pattern is emerging of how these matters are managed in the public domain and it is interesting to note there is no use of the dreaded “hacked” terminology in their reports and messages.

They are now in that incredibly tricky position of knowing intruders have been in – but not being quite sure what they have left with in their bag of electronic ‘swag’.  It is now that the executive team discover just how convoluted the investigations can be and the awful fact that there is the potential to never know exactly how they got in or what was taken.  At a time when everyone is seeking certainty, the challenge of a cyber crisis such as this is that conducting investigations as to where hackers have been on your network, particularly if it is integrated across key platforms, can be a very, very long process. It can be quick if fortune smiles on you but there are no guarantees. Continue reading

Volkswagen: a long road to recovery

By Dominic Cockram

220px-Volkswagen_logo_2012.svgIt has certainly been a busy few days for the VW crisis management team. If they had a mature and practiced crisis preparedness capability in place then hopefully they will have been hard at work for some time now. Suggestions are that others did have some foresight that all was not well in the industry from the roadside test reports, so there may have been some early work going on.

But, in facing this potentially overwhelming corporate crisis, how should VW set about managing the crisis, identifying their priorities and ensuring their reputation recovery? Continue reading

Getting ahead in the reputation game

Reputation Management Concept on the Cogwheels.Reputation and the importance of a good reputation is well understood; for businesses reputation is a vital and valuable commercial asset, albeit intangible. But how do organisations actively protect their reputation and manage the risks to it being damaged?

That is a harder question to answer. The 2014 Forbes Insights Survey found that 39 per cent of companies surveyed rated the maturity of their reputation risk programmes as “average” or “below average,” and only 19 per cent gave themselves an “A” grade for their capabilities at managing reputation risk. Clearly there is still much to be done – but what? In this blog, I offer some ideas for consideration and debate.

Influencers of corporate reputation 

External perceptions of quality, transparency and trust are key influencers of corporate reputation, as found by research published in the Edelman Trust Barometer (an annual survey of more than 5,000 informed publics in 23 countries), the Fortune 500 listing of the world’s most admired companies and the Reputation Institute. But herein lie the first two problems for reputation risk management.  Reputation is an intangible asset and its gift is in the hands of your stakeholders; both factors make it harder to gauge. Continue reading