Although they are based on similar objectives, methods and tools, crisis management and crisis communication necessarily appropriate the specifics of the issues they deal with to be relevant and therefore effective. In the case of a crisis of cyber origin, considering its characteristics and its exposure to often large numbers of users, requires specific anticipation and preparation. The first step is understanding the expected scale of media exposure.
Addressing the need to know and the need for reassurance
Supported by the increased number of incidents and attacks on information systems, the cybercrisis has moved into the public realm. The democratisation of its vocabulary is a clear indicator of the place that this subject takes up in the media. Data leakage, ransomware, hacktivist, DDoS, phishing, whistle-blower, these terms have left the server rooms and specialist blogs to make their way into national newspaper columns and most people’s vocabulary. The cybercrisis is no longer a mere quality incident discreetly handled in-house but has become an event that arouses the interest of a broad audience. This interest transforms the cybercrisis into a communicational crisis. However, while this theme’s new popularity is logically transposing into an increase in coverage, other elements justify a significant increase in solicitations, whether internal or external to the organisation in crisis.
When the cybercrisis results in data leakage, for example, it is not only the subject of the crisis that is newsworthy, but its very object. In fact, when the data leaks or is stolen, its nature arouses curiosity, whether it is personal data, a State secret or simply a private conversation. This mechanic logically generates for many audiences both the need to know the unknown, and to make sure that they are not the victim. These two primary needs of curiosity and reassurance are the essential drivers of media coverage and more generally encourage the information consumer, the stakeholder, the client to fill that need and seek to obtain this information. The same logic assumes that the source of this information, in this case the legitimate data holder, addresses these requests and communicates on the incident.
Whether it’s strategic events such as presidential elections or everyday private conversations on digital media that are compromised, the crisis’ media effect is magnified by the extraordinary nature of the event. This is the result of both its supposed impossibility and the confidence that the public entrusts it. The sudden rupture of the trust placed in these “institutions” of major importance, erected in good stead in a 2.0 version of Maslow’s pyramid, then generates itself the interest and the need to know, translated into an explosion of the number of requests for information to the organisation in crisis.
Figure 1: Maslow Pyramid Example
Communication war between the attacker and the communicator
Cybercrisis communication is thus a specific exercise given the subject it deals with, but also by the nature of the actors present. In fact, when immeasurable sums of money are stolen without warning or institutions fall under “citizens” hacktivist attacks, opinion tends to sympathise towards the attacker perceived as a modern hero, a romantic pirate or a anonymous vigilante.
This public figure, aware of its image and the codes of the communication world, will of course be able to play this environment. Thus, the very methods of the attackers reinforce the central place of communication in the management of cybercrises. Attacks on political, ideological and militant grounds are no longer confined to the compromise of a system but send a message whose publicity must be maximised.
This obvious appropriation of the activists’ specific methods is illustrated in several ways: prior warning of a DDoS, defacing a website, publication over time of proofs of a theft on social networks, dissemination of information such as exchanges of compromising private mail conversations, etc. If the attackers have learned to maximize the reputational impact of their attacks, they also use this lever to disrupt their target’s crisis management and make a noise that will buy them time once their attack is discovered. While one of crisis management’s key success factors of is regaining control of this rhythm and the publication of new elements, the cybercrisis inevitably leaves this power to a malicious third party.
This third party can also, if the compromise goes deeply, alter the company’s means of communication. While it tries to respond to the need to express itself urgently and widely, this can severely hinder the fluidity of its communication. Without email, how to spread a message to employees? Without social networks, how to be close to the community and answer their questions?
Restoring the trust relationship through communication
Fascinated by the attackers and the magnitude of the attacks, the general public is nonetheless intransigent at a time when trust and data are the very value of a company. Intrinsically, preserving the first assumes the protection of the second. When the organisation fails to achieve this goal, crisis communication is the only one able to restore this relationship of trust on which depends the future of the relation with customers and partners, who will or will not continue to entrust their data or the management of their tools, as well as their services to an organisation.
This trust requirement also brings about, when it’s is broken, the search for whom to point the blame. Although the reality of the facts is much more complex, the general public will easily assume that information system attacks are made possible by exploiting a vulnerability and therefore a fault.
A data leak is thus not only perceived as an attack perpetuated by a malicious third party, but also as negligence in the defences of the company victim to the theft. The latter is automatically designated as responsible and its reputation is logically impacted. Even as the attackers have become professional, the attacks complexify and the absence of vulnerabilities is a myth, cyber-attacks are now a subject of crisis management and communication in their own right. Because of its potential impact on the general public’s daily life and therefore its newsworthy nature, it forces the victim, considered to be co-responsible for its loss, to express itself.
Try to Keep It Simple for Better Crisis Communication
Beyond defining a clear, shared and timely strategy, managing a cybercrisis with its particular rhythm and the obstacles caused by the attackers must be accompanied by a special communication which implies a final effort: keeping it simple.
Confronted by a cybercrisis, like any type of crisis, communicating implies being able to translate the events and corrective actions into clear impacts and to address them in a coherent manner. Of course, the complexity of the terms and the mechanics of a cybercrisis makes this exercise tricky and is another particularity to take into account.
In this context, through their ability to translate the technical cause into business consequences and more generally into layman’s terms, the CISO and their team’s role is central. During business as usual as well as in times of crisis, the CISO’s mission is the responsibility for translating the facts and technical components not only into business impacts but also into understandable and convincing impacts for diverse non-expert audiences. They may also have to conceive or even bear responsibility for elements of crisis communication language in the same way that a human resources representative is exposed during a social crisis.
Without presupposing their exposure on a major TV channel’s news programme, information security experts’ words will be expected on social networks, on professional networks, in the specialized press or in-house. In crisis communication, everyone is responsible for everything and everyone has to be prepared for it.
Thus, the subject of cyber carries a media power of its own; the immediate consequence of which is the considerable increase in expectations and requests to be informed from different divisions of an organisation as well as from the public. If the impending occurrence of an information security incident involves a specific defence and continuity of operations planning, it also requires anticipation of these requests and an active preparation for this overall communication effort.
