When they fall victim to a cyber attack, some companies decide not to communicate, or to communicate very little, on the subject. However, national security agencies and CERTs (Computer Emergency Response Teams) are encouraging communication to be as transparent as possible. Their aim? To improve general cooperation in the face of cyber-crime and reassure the economic fabric. So why is communication sometimes taboo? Should we communicate or not? And to whom?
When it comes to the communication of victims of cyber attacks, the example of Norsk Hydro is striking. In 2019, this Norwegian industrial company was the victim of a ransomware attack that paralysed several production facilities and part of its communication services. Despite this, the company decided to be transparent and opened a public crisis communication page on its website the day after the attack. This page is updated regularly. In the months following the crisis, the media held Norsk Hydro up as an example of how to communicate in the event of a cyber-attack.
Why do some companies choose discretion as a crisis communication strategy?
This textbook case is still cited today as an example of crisis management. So why do some victims prefer to keep a low profile?
“For a company, it is obviously difficult to admit that it has been the victim of a cyber attack,” explains Yannick Duvergé, CEO and founder of Exemplary, a company specialising in crisis communications. “It is like admitting that you have weaknesses that can have serious consequences for your business. For reasons of brand image, and therefore business, it is common to see strategies aimed at hiding or minimising the consequences of an attack. Another argument against communication is the fear of creating a knock-on effect. Other malicious individuals may take advantage of the delay between the discovery of the cyber-attack and the release of the patch that fixes the exploited software vulnerability to commit a certain number of malicious acts of their own. It is therefore essential to measure the level of technical detail communicated publicly, both to convey an understandable message and to protect the victim company,” explains Stéphanie Ledoux, founder and CEO of Alcyconie, a cyber crisis management and communications company. “If it is a software vulnerability that has been exploited, communicating with peers in the sector can also help prevent the attack from affecting other organisations using the same software.”
At the same time, legislation provides a framework for some of the statements made by companies – some of which may be forced to refrain from communicating. In the case of legal proceedings, “it is often the case that companies cannot implement their crisis communication plan at the pace they would like while the investigators do their work,” points out Pierre-Yves Hentzen, CEO of Stormshield. Critical companies, whether they are Operators of Vital Importance (OIV) in France or Operators of Essential Services (OSE) at European level, are bound by a strict communication protocol. On the other hand, other legal texts require companies to make some kind of communication, this time not to the public, but to inform the competent authorities of the cyber attack they have suffered. For example, Article 33 of the General Data Protection Regulation (GDPR) requires companies handling the personal data of European citizens to follow the alert protocol in force in the country where they operate, starting with “notifying the supervisory authority of a personal data breach“. The company that is the victim of a cyber-attack must notify the authorities within 72 hours of discovering the exfiltration of data. In addition, Article 34 of the same RGPD obliges these companies to inform the individuals affected by a data leak. However, the notification period is imprecise and remains at the discretion of the company that has been the victim of the cyber-attack and/or the judicial authorities in the event of an investigation. Personal data, sensitive data, critical data or even vital data: the vocabulary can also cause some confusion. However, as Stéphanie Ledoux points out, “these companies are often contractually obliged to inform their stakeholders or customers. That’s why it’s important to have the support of a competent legal department to know exactly what to do or say depending on the situation”. These companies are often contractually obliged to inform their stakeholders or customers of their obligations.
But while these factors may explain the silence of some companies, experts agree that communication in the event of a cyber attack is a necessity.
Why do experts recommend the use of transparent crisis communication?
Stéphanie Ledoux describes communications as “a tactical tool for crisis management”. When done effectively, it can make a significant contribution to a positive resolution, as the case of Anthem illustrates. On 27 January 2015, this American health insurance company (one of the largest in the US market) was the victim of a cyber attack. On 4 February, the company issued its first public statement, admitting that it had been the victim of an “extremely sophisticated attack”. Worse still, the data of tens of millions of customers had fallen into the hands of cyber criminals. In the days that followed, Anthem sent personalised messages to all affected customers, advising them on how to proceed. While the situation could have been disastrous for the company’s image, Anthem’s strategy, like that of Norsk Hydro, is regularly held up as an example of seriousness and transparency.
The positive and lasting effects of a transparent approach to crisis communications can largely be explained by the fact that the general public has become more acculturated. In the past, the public could blame companies that were victims of cyber-attacks, but this is no longer the case because “they know that cyber-attacks are increasingly common and can affect any company, even the most prepared,” explains Sébastien Viou, Director of Product Cybersecurity & Cyber-Evangelist at Stormshield. When a cyber attack is reported in the media, the public’s first instinct is to “find out more about how the company is managing the crisis and overcoming its difficulties”, explains Stéphanie Ledoux. They are no longer fooled. If a company tries to hide the effects of a cyber-attack, they will become even more alarmed”. Not communicating for fear of incurring the wrath of public opinion is no longer an option.
For his part, Pierre-Yves Hentzen points out that most of the arguments against transparent communication have fear as their common denominator, particularly the fear of damaging business relationships. And yet, “that’s what crisis communication is for: to reassure. Depending on the situation, the company may not need to alert the public immediately, but it does need to reassure its employees, stakeholders and customers! The consequences of the crisis may be just as important to them, and denial is likely to be more damaging to the reputation of the company under attack”.
According to ANSSI, damaging a company’s brand image is one of the four main reasons for cyber attacks. The French agency confirms that the most common cyber-attacks “essentially aim to damage the image of their target”. In addition, Sébastien Viou points out that “it is not uncommon for cybercriminals to launch communication campaigns on social networks to promote the data they intend to sell on the darknet and/or to damage the victim’s brand image”. In fact, no matter how hard a company tries to hide or minimise the impact of a cyber-attack it has suffered, it is highly likely that someone will leak the information for it. “It’s better to be transparent right from the start, to show that you’re on the front line, not running away from it”, concludes Stéphanie Ledoux.
How best to communicate during a cyber attack?
For companies that want to communicate, the question is how to do it. The first piece of advice “is to act quickly”, says Yannick Duvergé. As we mentioned earlier, the company has to assume that sooner or later information will be leaked. And when a company’s communication is preceded by more or less concrete rumours, the consequences can be devastating for public confidence in the brand. Between November and December 2013, the US company Target was the victim of a cyber attack that resulted in the bank details of around ten million customers being leaked online. The company chose not to communicate. Unfortunately, an outside source was the first to inform the public. This strategy led to Target being accused of concealing the attack and its potential impact on the public. The impact on the brand image was catastrophic and consumer perception hit an all-time low. According to Sébastien Viou, information from “external” sources is increasingly being used by cybercriminals. “They see it as a way to force victim companies to pay ransoms (in the case of ransomware attacks, for example) or to advertise the stolen data to potential buyers”. To avoid suffering the same fate as Target, it is therefore recommended that companies communicate first. This principle is often referred to as “stealing the thunder”: corporate communication should take the wind out of cyber criminals’ sails.
But to whom should the first messages be addressed? In Pierre-Yves Hentzen’s experience, it is essential to start the crisis communication phase with the company’s employees. They need to be kept as informed as possible, but above all they need to be reassured about “the state of the company and their future”. This is also the ideal time to let them know what is expected of them throughout the crisis, particularly in terms of confidentiality. “They will be contacted by the press or external actors and will have to comply with the communication plan established. Involving them is therefore a major contribution to a positive resolution of the crisis”. For her part, Stéphanie Ledoux stresses the importance of “not adopting a cold, technical or even guilt-ridden attitude”, which could exacerbate the shame felt by employees who have unwittingly contributed to the spread of the cyber attack. “They are the first victims of the cybercriminal and, as long as there is no evidence of a breach of security, they should be treated as such”, adds Sébastien Viou. The experts’ opinion is in line with the recommendations of the European Network and Information Security Agency (ENISA) and the various European CERTs. These two institutions recommend communicating with different audiences in this order: employees, stakeholders (or shareholders), business partners (and service providers), customers and finally the press.
However, the quality of the information transmitted remains to be verified. In the hours following the discovery of a cyber-attack, it is very difficult to know exactly what has happened and therefore to plan a communication campaign on the subject. Depending on the case and the seriousness of the attack, the company may be able to ask the competent authorities for help. In France, the ANSSI can carry out technical investigations to help victim companies identify the aspects of the attack. Does this mean that no report can be made until the cybercriminal’s modus operandi is known? “The company can start by acknowledging the attack without going into too much conjecture. It can also explain the extent to which its operations have been affected. This has the advantage of being transparent and showing that management is facing up to the situation and taking responsibility”, explains Stéphanie Ledoux. This feeling can also be reinforced if the company’s communication is “embodied by a senior manager or even the head of the company”, adds Yannick Duvergé. “This process humanises communication. It’s much easier to build a relationship of trust with the public.” Furthermore, if the company feels that it does not yet have the opportunity to communicate outside its organisation, it can still benefit from certain private bodies and clubs, such as the Clubs de la sécurité de l’information en réseau (Clusir). Members of these clubs are guaranteed a relatively confidential forum for the exchange of best practices and experiences in the field of cybersecurity.
And after the cyber attack? Several months after a cyber attack, some companies publish a detailed report on their misadventures. The advantage of this type of communication is that others can benefit from this feedback. Sébastien Viou explains that cybersecurity players such as Stormshield are particularly interested in reports detailing the process of cyber attacks and the indicators of compromise of the offending solutions: “This allows us to be constantly in touch with the reality on the ground.” What’s more, “if the company continues to communicate, this time focusing on the measures it has taken and the lessons it has learnt, it could very well come out on top”, explains Yannick Duvergé. This more transparent approach helped Target recover from its initial slump. In the year following the attack, the new management launched a series of cyber resilience projects totalling almost $17 million. By constantly updating the public on these developments, the company was able to rebuild its reputation and end the quarter at the same level as before the cyber attack.
Proof that the public understands and can even forgive a lack of safety. Provided the right arguments are used in the right way.
An article by Julien Paffumi, also available on the Stormshield website.