Flacks Guide to Hackers: The Communicator’s Role in a Cyber Incident

Ryan George, AVP of Marketing Communications
May 8, 2018

Included as the most dangerous jobs in America today are loggers, deep sea fishermen, truck drivers and… professional communicators? Danger is a relative term, and in today’s digital world communicators are increasingly finding themselves in professionally precarious positions.

There’s likely no area in crisis management where communications leaders can provide more significant value than in the event of a hack or cybersecurity incident.

Cybersecurity Incident Response Plan

It doesn’t matter if you’re one-person, a part-time business or a global enterprise, if you’re online someone somewhere is trying to hack your system, and you need to have a plan when the worst happens. Internal and external communication is an important component of that plan.

A Cybersecurity Incident Response Plan (CIRP) identifies who needs to do what when an event occurs. Corporate ownership of CIRPs generally lies with your chief information security officer (CISO) and your legal department. Additionally, I strongly encourage all in-house corporate communications teams to take ownership roles with CIRPs as well, as no one else is uniquely situated to respond with messaging expertise, media contacts and as the owner of distribution channels.

Taking the Multi-Stakeholder Approach

In these situations, communicators must implement a diversified stakeholder strategy. This can look different based on your organization, but some typical stakeholder groups are:

  • Incident Response Team (IRT): Likely spanning multiple departments, effective communication is critical across departmental lines when things are moving fast.
    • Things to Think About:
      • Who’s on the IRT?
      • Where would you gather?
      • Will remote/traveling employees need to have a way to connect?
      • Who’s the backup person for each role?
  • Executive/Leadership Team: Keep them in the loop for any incident — no issue is too small. Your company’s leadership likely has decades, if not centuries, of combined business experience, and this wisdom is vital in emergency situations. 
    • Things to Think About:
      • Has a member of the Executive/Leadership Team lived through a similar incident before?
      • Do your best to include only critical people with roles defined in the CIRP in the “war room.” In turn, make sure they are fully informed at all stages, preferably face-to-face.
      • Leverage this group to scale out your information updates.
  • Internal Employee Channel: This critical stakeholder group can often be the last to formally know. However, anyone who knows body language knows something is going on based on activity around the office. Don’t let the rumor mill turn a minor incident into a Sony-hack-level meltdown. Inform them early, briefly with just the facts.
    • Things to Think About:
      • Do you have an internal communications team member? Are they included in the CIRP?
      • What work can be completed in advance?
      • What avenues for communication will be available and what alternative methods will you need to rely upon as a backup plan?
  • Client-facing Groups: The last thing you want during a cybersecurity incident is to leave your client-facing team members uninformed. They’re on the front lines and should be looped in as early as possible with key information, remediation timeline and talking points (if necessary). This group isn’t just your service department either, so be inclusive — think about your receptionist, people who respond to inbound emails, etc.
  • External Customers: This group is a no brainer. Your CIRP should loosely identify in what cases they would need to be informed immediately, such as when their information is exposed or if protective actions are needed to prevent the risk from expanding. In many cases, this group is looped in on the back end for the purpose of transparency. If your company responds flawlessly because of preparation and your CIRP, don’t be afraid to tell the story. These days, you don’t get dinged for falling victim to attack, but you’ll lose your job (or even your career) for covering it up.
    • Things to Think About:
      • What channels can you utilize to get a message out quickly? Do you have a mass text messaging or auto-call resource in place?
      • How can you leverage your in-house knowledge for their benefit? We work with many small businesses that do not have expansive technology resources, so we proactively educate them on a monthly basis on common threats/scams as well as partner with RSI Security to serve as their incident preparation and response team.
      • What message (if any) will they need to relay to their clients?
      • Will any of their business processes be disrupted? For how long? As a financial services firm, we must always keep the stock market trading hours front of mind, as an example.
      • What are all the externally-facing messaging systems available? Think about your firm’s outbound voicemail, public-facing website, social media feeds, and any other client-facing applications that can be used to communicate important information.

Practice, Practice, Practice

If you haven’t already, consider running through some exercises and respond accordingly as detailed in your CIRP. Simulations will never have the same intensity or emotions as the real thing, but that works to your advantage as you can identify possible points of friction or additional needs.

Remember: Your legal team may want to say nothing — that’s their job. Your job is to make sure you say the right things. Be honest. Be clear. Be prepared. Be ready and you just might become the “Tylenol”¹ of the digital age.

Want to learn more about protecting yourself and your business from cyberattacks? Check out this free resource guide from 1st Global. Click here to download the guide.


¹ “How Poisoned Tylenol Became a Crisis-Management Teaching Model”, Time.com