There’s a rather famous children’s book entitled Alexander and the Terrible, Horrible, No Good, Very Bad Day in which the protagonist is having, as the title suggests, a really, really bad day. From the moment the main character, Alexander, wakes up, he encounters a series of unfortunate mishaps, problems and disappointments that makes him one extraordinarily unhappy young boy.
If the author, Judith Viorst, were to write the 2020 sequel, the story would follow a now grown up Alexander having a Terrible, Horrible, No Good, Very Bad Year. In this sequel, COVID-19 would force Alexander to work remotely, wear a mask, and social distance. He would be furloughed by his employer and forced to take a 20% pay cut upon return. Alexander would not be able to see his mother in person, who now lives in a nursing home, for over six months.
But for this story to truly reflect 2020, then the narrative must include a chapter on Alexander’s employer falling victim to a cyberattack.
Cybercrime approaching record highs with three months remaining in year
October is National Cybersecurity Awareness Month 2020, and by this tenth month of the year, far too many companies have succumbed to a cyberattack or are under significantly increased threat.
Since the pandemic began, hackers and nation state adversaries have used the coronavirus to their advantage by exploiting vulnerabilities inherent to remote workers and using social engineering to incite fraudulent actions through fear. The subsequent civil justice movement and economic recession have also played right into attackers’ hands.
According to the cybersecurity company Check Point, “COVID-19-related phishing attacks grew from under 5,000 in February to more than 200,000 in late April.” And CrowdStike recently reported that there were more cyberattacks in the first six months of 2020 than all of the previous year.
The increasing threat of cyberattack has prompted many organizations to create or update their incident response and business continuity plans to ensure that operational and reputational damage is minimized when a hack or breach eventually occurs. Further, the increasing threat landscape has also prompted corporate communications and cybersecurity PR teams to look more closely at their crisis comms plans as it relates to a cyberattack.
Cyberattacks aren’t your ordinary crisis
Most PR and marketing teams have some sort of crisis communication plan in place. Such blueprints typically game plan out considerations for:
- determining the severity of a crisis
- who in the organization needs to be notified
- internal and external communications workflows
- the pros and cons of proactive versus reactive communications
While these standard operating procedures are relevant in almost every crisis situation, there are nuances specific to a cybersecurity incident that require marketing and PR teams to think differently about the circumstances around their response protocols. These include:
- Public Sentiment is often not on the side of the hacked organization, even though said organization is actually the victim of a crime. This is because society has come to equate breaches with a lack of institutional security protocols and not as an intrusion of privacy (akin to a homeowner being blamed for their house having been broken into). The truth is, the hacked organization is sometimes at varying degrees of fault while other times a motivated adversary on a mission to disrupt simply succeeds. Fortune 5000s can spend five to seven figures on cybersecurity annually, yet there is little public empathy for companies that succumb to cyberattack.
- Someone is always looking to break the news or discover a cyberattack. In fact, there is no shortage of students, researchers and journalists that peruse the Dark Web on a daily basis, searching for conversations about recent exploits, data dumps and proprietary personal and business information put up for sale. In some instances, these onlookers identify attacks before a company even knows it’s been hit, and will often bring it to the organization’s attention. However, unless national security is at risk, the discoverer is under no obligation to keep any information private for any amount of time.
- Incident investigation and forensics can take weeks to even months to determine the who, what, when, where and why of a cyberattack. And in some cases many of these 5W’s cannot be determined at all. Such time constraints are in direct conflict with our now instant gratification society that demands answers in near real-time. With most cybersecurity events, fulfilling the thirst for in the moment information sharing is almost never possible. This can present a significant challenge to marketing and cybersecurity PR teams under pressure from all directions to communicate details of an attack and the mitigation and remediation efforts moving forward.
With crisis communications, marketing and PR’s ability to instill the right tone, timing and transparency is critical to mitigating the situation at hand. This is increasingly true when navigating a cybersecurity incident, as the public’s lack of empathy for the breached puts the spotlight on any misstep, mistake or speculation – no matter how big or small.
Stay cyber-secure out there!