Achieving effective communication between the various stakeholders in a business can be challenging under any circumstance. But it can become a real nightmare when you’re in the midst of a severe crisis, such as a cyber attack that disrupts normal business operations.
That’s why establishing a crisis communication plan is essential to your cyber resilience plan, especially for the maritime and logistics industry where the complex infrastructures and geographical dispersion of stakeholders adds an extra layer of difficulty.
The challenges of crisis communication during maritime cyber security incidents
When a crisis strikes, you’re likely to run into a variety of sticky communication issues.
There is the obvious problem that normal communications platforms may be impacted and rendered non-operational during an attack. Beyond this it can be a real challenge to simply determine which parties to loop in using alternative communications channels. You need to know which stakeholders – executive team, managers, employees, partners, investors and customers need to be part of the conversation as the crisis response unfolds, before you can begin effective communications.
Deciding which information to share publicly, and which to restrict to internal communications channels, is another common challenge in times of crisis. In order to make these decisions, you must first assess the situation to understand the impact: was sensitive data accessed and downloaded? This can greatly affect the urgency and the nature of the communication needed.
In addition, you must take into account regulatory compliance; relevant regulations around cyber crisis communication, pertaining to your specific company under local or international law. This is usually under the jurisdiction of the legal department and must be considered before moving ahead with any form of crisis communication.
Once all this has been taken into account, you must also determine how to share information publicly:
- Which social media channels to post to
- Whether and how to send emails
- Where and how to release information to the press
Controlling the narrative is essential during crisis management and requires to be on top of all these elements, otherwise there is a risk of major reputation harm. However, it is also important to keep in mind that the cybercriminals can choose to leverage communication channels, by publishing details of the attack on social media, or by approaching customers.
And then there is the issue of making promises you can’t keep during crisis communications. For instance, organizations have a tendency to say things like, “we’ll provide daily updates as the situation unfolds,” but fulfilling that promise can become challenging if there ends up not being something new to say every day. They may also fall into the trap of “communicating just to communicate,” meaning that they release information that is not actually meaningful.
There are several overall concepts to consider in your communications, here are our recommendations:
- Own it, accept responsibility for the situation
- Avoid blaming others for the situation (even the cybercriminals…)
- Downplaying the situation is usually not the answer. Instead consider demonstrating that you are taking it very seriously – stakeholders will appreciate this much more
- Clearly address the main concerns of your stakeholders, in particular your customers
- Decide how you will communicate any updates; provide ad-hoc solutions, offer compensation, etc.
Principles for effective crisis communication and cyber resiliency
To mitigate these risks, developing a communication response plan is vital. Your plan should identify:
- Communications stakeholders: First, decide who will handle communications during a crisis. It is important to decide who manages the internal communication (within the organization) and ensure that it is clearly coordinated with the external messaging. You may choose to rely on an in-house communications team, a third-party agency or both. You should also decide which C-level leaders, board members, legal representatives or regulatory consultants will need to be available to help prepare statements, decide which information to release and so on.
- Communications channels: Determine which channels you’ll use to share information. Be sure to address both internal communication channels (such as those used by your teams to achieve business continuity) and external channels (where you’ll reach customers, investors, partners and other stakeholders from outside your business). In addition, you can consider other contingencies including a dedicated landing page, FAQ page, or setting up a hotline for customers,
- Communications workflows: Establish who will prepare information, how it will be reviewed and how it will be released. Since these processes may vary between different types of communications (for instance, large customers might receive notifications directly from C-level executives, while smaller customers will be notified in a more generic manner), you should plan a different workflow for each type of information you may need to release during a crisis. Each of these workflows should be outlined into a written plan, to avoid any possible confusion.
- Communication system contingencies: It is important to prepare an alternative communication channel, in case normal communications systems (like email servers) are brought down by a cyber attack. Your communications plan should therefore identify which alternative systems you’ll use to share information internally and externally during a crisis.
Develop a proper communication plan based on this information, which will serve as your formal crisis communications plan. Implement and test the plan on a routine basis. You can include these tests as part of your cyber drills, which are an opportunity to practice and enhance how stakeholders will respond during a crisis.
Communication is a pillar of cyber resilience
Surviving a cyber attack hinges, in part, on maintaining effective communications during the crisis. Plan ahead by deciding which stakeholders to include in communication operations, how they’ll share information and how you’ll maintain communication channels in the event that key systems are brought down during an attack.
Cyberstar is here to provide guidance on planning a crisis communications strategy tailored to your needs. Our deep expertise in maritime cyber security uniquely positions us to help businesses in the shipping and logistics industry to prepare their teams for handling communications and all other aspects of cyber resilience. We also run cyber drills to help businesses practice how they’ll handle response operations following an attack.
We can help your team prepare: