Communicating clearly in a crisis
Chris Butler, Principal Consultant, Cyber Resilience and Security, Sungard Availability Services
To quote business magnate Warren Buffet, “It takes 20 years to build a reputation and five minutes to ruin it.” Years on from that memorable statement, I wager it would take much less than five minutes in our ‘always on’ world to suffer reputational damage.
We are unable to open the newspapers or turn on the television today without bearing witness to the latest victim of a cyberattack, recent example being the hack of American TV giant HBO whose money-spinning series Game of Thrones was leaked around the world.
The threat is certainly growing: a recent report revealed that a third of UK cyber security execs expect to get hacked. In a world overwhelmed by social media, news of such a disaster can go international in the time it takes to say ‘cyber-breach.’ And the potential fall-out of a crisis? Damage to your business’ reputation, negative effects on share price and a detrimental impact on staff morale.
If a data breach takes place, organisations must be in the position to communicate information instantaneously and precisely to all parties affected – customers, partners, vendors and staff. However, by their nature crises are unique, unpredictable, and can go far beyond any eventuality you’ve planned for. (Hence the rueful observation by one business continuity practitioner that “We’re always planning for our last disaster.”) So, how can organisations ensure they’re prepared to respond in the most effective way possible?
There are two types of communication that are needed to support a crisis management programme. Both require sufficient preparation to ensure a swift and appropriate response in times of crisis, and that those impacted are kept in the loop by business leaders – not a random social media post.
1. Pre-defined messages
These should be the cornerstone of any good crisis management programme and are crucial to avoid wasting time deliberating on what to say as the crisis unfolds. But how do you go about developing them?
Organisations need to dedicate time to identifying potential scenarios, developing the appropriate messaging templates and selecting appropriate communications channels for each situation. We recommend carrying out a comprehensive stakeholder analysis to identify the parties who will need to be informed as a priority, and agreeing what they need to know. Constructing and clearing provisional statements in advance will place your business in a much stronger position to respond quickly and accurately.
2. Tailored Response:
Tailored responses are unique to a particular crisis. While it is not possible to prepare for every single crisis outcome, this does not justify neglecting foresight, groundwork or planning. As someone, somewhere once said, the only thing harder than planning for an emergency is explaining why you didn’t. Carrying out simulation exercises to educate and train crisis teams, familiarise them with possible outcomes, and uncover opportunities and gaps in their programme(s) will help them develop a readiness mentality. This then places them in a much stronger position to manage threats to their organisation.
It’s crucial to enlist a crisis communications team, led from the board, embedded at the heart of your business and possessing a sound understanding of the risks and threats posed to the organisation. However, in a crisis the onus is not just on the defined crisis communications team. Senior management will need to be media-trained to respond to untoward situations to reduce damage to business brand, to keep staff feeling focused and motivated and to engender confidence among stakeholders. They will be a vital conduit to creating market goodwill while the business establishes the nature and scope of the threat; reinstates or bolsters systems or operational integrity and addresses any customer impacts.
And when crafting your communications, it is worth remembering that, as Winston Scott, Director of Florida Space Port so pithily noted, “At the onset of an emergency, everyone's IQ goes immediately to '0'".
Weathering a crisis will depend entirely on your organisation’s ability to arm itself and remain level-headed when the time comes. Businesses who deliver well-considered communications in the event of a cyber-attack will be the ones to demonstrate foresight and agility; repositioning themselves as a stronger and more resilient force.
About the author
As principal consultant for cyber resilience and security at Sungard AS, Chris Butler leads the development of services that integrate traditional information security products within a wider framework of organisational and cyber resilience.
Following a 20-year Army career in aviation, security and counter-terrorism, Chris moved into consulting. Initially with a large oil/gas firm helping major projects to close out and learn from experience, then into the nuclear sector. Working in security and resilience, Chris provided expert consultancy covering crisis, emergency and incident management; policies and plans for preparedness and response. He has further experience in strategy execution consultancy, including programme and risk management, and executive coaching in the legal, financial and health/nutrition sectors.