Communication: a tactical tool for crisis management

Communication and crisis management

When they are the victim of a cyberattack, some companies decide not to communicate at all, or only slightly, on the subject. Still, national security agencies and CERTs (Computer Emergency Response Team) encourage communication to be as transparent as possible. The objective? To improve general cooperation in the face of cybercrime and to reassure the economic fabric. But then, why is communication sometimes taboo? Should we communicate or not? And to whom?

When it comes to communication from victims of cyberattacks, the example of Norsk Hydro is striking. In 2019, this Norwegian industrialist was the victim of ransomware that paralyzed several production plants and part of its communication services. The company nevertheless decided to be transparent and opened, the day after the attack, a public page dedicated to its crisis communication on its website. This is regularly updated. In the months following the crisis, the media mentioned Norsk Hydro as an example to follow in the communication of cyberattacks.

Why do some companies favor discretion as a crisis communication strategy?

This textbook case is still cited today as an example, from the point of view of crisis management. How can we explain that some victims prefer to be more discreet?

“For a company, admitting to having been the victim of a cyberattack is naturally difficult ,” explains Yannick Duvergé, CEO and founder of Exemplary, a company specialising in crisis communication. “It comes down to admitting to having weaknesses, which can have serious consequences for the business.” For brand image issues, and therefore business issues, it is common to see strategies aimed at masking or minimizing the consequences of an attack. Another argument against communication is the fear of creating a windfall effect. Other ill-intentioned individuals could indeed take advantage of the delay between the discovery of the cyberattack and the patch correcting the exploited software flaw to commit a number of misdeeds themselves.

It is therefore essential to measure the level of technical details communicated publicly, both to convey an intelligible message and to protect the victim company, explains Stéphanie Ledoux, founder and CEO of Alcyconie, a cyber crisis management and communication company.

“If it is a software flaw that has been exploited, communicating with colleagues in the sector can also prevent the attack from affecting other organizations using the same software.”
Stéphanie Ledoux, founder and CEO of Alcyconie

At the same time, legislative texts regulate some of the statements made by companies – some of which may be forced not to communicate. In the case of legal cases, “it is often the case that companies cannot apply their crisis communication plan at the pace they want, the time it takes for investigators to do their job ,” says Pierre-Yves Hentzen, CEO of Stormshield. As for critical companies, whether they are Operators of Vital Importance (OIVs) at the French level or Operators of Essential Services (OSEs) at the European level, they are bound by a strict communication protocol.

On the other hand, other pieces of legislation require companies to communicate a certain amount of information, not publicly this time, but to inform the competent authorities of the cyberattack they have suffered. Thus, Article 33 of the General Data Protection Regulation (GDPR) obliges companies handling the personal data of European citizens to follow the alert protocols in force in the countries where they operate; Starting with “notifying the supervisory authority of a personal data breach “. The company that is the victim of the cyberattack must alert the authorities no later than 72 hours after discovering the data exfiltration.

In addition, Article 34 of the same GDPR obliges these companies to inform the persons concerned by an information leak. However, the time limit for communication is imprecise and remains at the discretion of the company that is the victim of the cyberattack and/or the judicial authorities in the event of an investigation. Personal, sensitive, critical or vital data; Vocabulary can also introduce some confusion.

“These companies are often contractually obliged to inform their stakeholders or customers. That’s why it’s important to have a competent legal department with you so that you know exactly what to do or say in the situation.”
Stéphanie Ledoux, founder and CEO of Alcyconie

But while these elements may explain the silence of some companies, experts agree that communication in the event of a cyberattack is a necessity.

Why is the use of transparent crisis communication recommended by experts?

Stéphanie Ledoux thus presents communication as “a tactical instrument at the service of crisis management“. If done effectively, it plays a major role in a positive resolution, as the case of Anthem highlights. On January 27, 2015, this American health insurance company (one of the largest on the market in the USA), was the victim of a cyberattack. On February 4, the company deployed its first public communications: it admitted to having been the victim of an “ultra-sophisticated action“. And worse: the data of tens of millions of customers has fallen into the hands of cybercriminals.

In the days that follow, Anthem sends personalized messages to all affected customers with advice on what to do. While the situation could be catastrophic for the company’s image, the strategy deployed by Anthem, like that of Norsk Hydro, is regularly held up as an example for its seriousness and transparency.

The positive and lasting effects of a transparent approach to crisis communication would be largely explained by a better acculturation of the general public. If in the past the latter could incriminate companies that were victims of cyberattacks, this would no longer be the case because “he knows that cyberattacks are more and more common and can affect all companies, even the most prepared,” explains Sébastien Viou, Director of Product Cybersecurity & Cyber-Evangelist at Stormshield.

Faced with the media coverage of a cyberattack, the first reflex of the public would be to seek to “know more about the way the company is managing the crisis and facing its difficulties,” says Stéphanie Ledoux. He is no longer fooled. When a company tries to hide the effects of a cyberattack, it alerts them all the more.” Not communicating for fear of incurring the wrath of public opinion would therefore have become nonsense.

For his part, Pierre-Yves Hentzen underlines the fact that most of the arguments against transparent communication have as a common denominator fear, in particular that of harming one’s business relations. However, “this is precisely what crisis communication is for: to reassure. Depending on the situation, the company is not obliged to alert the public immediately, but it must reassure its employees, stakeholders and customers! The consequences of the crisis may be just as important for them, and denying this fact will probably be more damaging to the reputation of the attacked company.”

It should be remembered that the ANSSI considers that damaging a company’s brand image is one of the four main motivations for cyberattacks. The French agency confirms that the most common cyberattacks “are essentially aimed at damaging the image of their target“. In addition, Sébastien Viou recalls that after their misdeeds, “it is not uncommon for cybercriminals to carry out communication actions on social networks to promote the data heritage they wish to resell on the darknet and/or damage the victim’s brand image“. In fact, no matter how hard the company tries to hide or minimize the impact of the cyberattack it suffers, it is very likely that someone will leak the information for them.

“It is better to immediately adopt a transparent posture to demonstrate that you occupy the field; that we don’t run away from.”
Stéphanie Ledoux, founder and CEO of Alcyconie

How to best communicate during a cyberattack?

For companies that want to communicate, the question is how to proceed. The first piece of advice “is to act quickly,” says Yannick Duvergé. As we mentioned earlier, the company must consider that sooner or later information will leak. However, if the company’s communication is preceded by more or less concrete rumours, the effects can be devastating on the public’s trust in the brand. Between November and December 2013, the American company Target was the victim of a cyberattack that led to the spread of the bank details of tens of millions of customers on the Web.

The company prefers not to communicate. Bad luck: an outside source is the first to inform the public. This strategy has led to Target being accused of covering up the attack and its potential consequences for the public. The effects on brand image are disastrous, and consumer perception is at an all-time low. According to Sébastien Viou, the information communicated by sources “external” to the company is more and more often the work of cybercriminals. “They see it as a way to force victim companies to pay ransoms (in the case of ransomware attacks, for example), or to advertise the stolen data to potential buyers.” To avoid suffering the same fate as Target, it is therefore recommended that companies communicate first. A principle often called “stealing thunder“: corporate communication must pull the rug out from under the feet of cybercriminals.

But to whom should the first messages be addressed? From experience, Pierre-Yves Hentzen believes that it is imperative to start the crisis communication phase by the company’s employees. It is necessary to inform them as far as possible, but above all to adopt a reassuring posture as to “the state of the company and their future“. It is also the ideal time to convey to them the conduct that is expected of them throughout the crisis, particularly in terms of confidentiality. “They will be solicited by the press or external actors, and must comply with the established communication plan. Involving them therefore helps greatly in the positive resolution of the crisis.”

For her part, Stéphanie Ledoux stresses the importance of “not adopting a cold, technical, or even guilt-inducing posture“, which could amplify the shame that employees who have contributed to the spread of the cyberattack may feel. “They are the first victims of the cybercriminal and as long as no proof of a breach of security rules is provided, they should be treated as such ,” adds Sébastien Viou. The experts’ opinion is in line with the recommendations of the European Network and Information Security Agency (ENISA) and the various European CERTs. These two institutions advise communicating with the different targets in this order: employees, stakeholders (or shareholders), economic partners (and service providers), customers, and finally, the press.

However, the quality of the information transmitted remains to be ensured. However, it is very difficult in the hours following the discovery of a cyberattack, to know precisely what happened, and therefore to plan a communication action on the subject. Depending on the case and the severity of the attack, the company may potentially have the help of the competent authorities. In France, the ANSSI can conduct technical investigations to help victim companies identify aspects of the attack. Does this mean that no message can be transmitted until the cybercriminal’s modus operandi is known? “The company can start by acknowledging the attack, without speculating. It can also explain how it affects its proper functioning. This has the merit of being transparent and showing that the company’s management is facing up and taking its responsibilities,” explains Stéphanie Ledoux. This feeling can also be reinforced if the company’s communication is “embodied by a senior executive, or even the company’s manager,” adds Yannick Duvergé. “This process humanizes communication. The relationship of trust with the public is therefore much easier to establish.” In addition, if the company believes that it does not yet have the possibility to communicate outside its organization, it can still benefit from certain private entities and clubs such as the Networked Information Security Clubs (Clusir). Its members are thus guaranteed a relatively confidential space for exchange where the challenge is to share good practices and experiences in cybersecurity.

“The company can start by acknowledging the attack, without speculating. It can also explain how it affects its proper functioning. This has the merit of being transparent and showing that the company’s management is facing up and taking its responsibilities.”
Stéphanie Ledoux, founder and CEO of Alcyconie

And after the cyberattack? Several months after a cyberattack, some companies make a detailed assessment of their misadventures. This type of communication has the merit of allowing others to benefit from this feedback. Sébastien Viou explains that cybersecurity players such as Stormshield are particularly interested in reports detailing cyberattack processes and signs of compromise of the incriminated solutions: “this allows us to constantly listen to the reality on the ground“. In addition, “if the company continues its communication, this time focusing on the actions it has carried out and the experience it has gained from them, it could very well come out of it valued,” explains Yannick Duvergé. This more transparent approach has allowed Target to get out of its initial slump. In the year following the attack, the new management set in motion numerous cyber-resilience projects, the total amount of which amounted to nearly $17 million. By constantly informing the public of these developments, it managed to restore its image and ended the quarter at the same level as before the cyberattack.

Proof that the public understands, and can even forgive a lack of security. As long as communication values good arguments.

An article by Julien Paffumi, also available on the Stormshield website.