In the event of a major cyber attack, communication with the outside world cannot be improvised and must be as transparent as possible. Internal communication concerns not only employees, but also the company’s Executive Committee.
On 30 January 2020, a massive cyber attack hit the entire Bouygues Construction Group. 60 countries, 3,000 servers and 60,000 employees were affected. One of the first actions taken by the IT department was to “manually” disconnect the entire IS. “This decision had a direct impact on activities as essential as payroll and site management… But it saved the company by allowing it to take an accurate inventory of the attack and prevent the ransomware from spreading too far,” says Thomas Degardin, now cybersecurity coordinator for the Bouygues Group, but CISO of Bouygues Construction at the time of the attack.
Once the surprise and, for some, the shock had passed, the crisis management processes were quickly put in place: creation of a “resources” unit to manage up to thirty “streams” in agile mode, organisation of the teams in 3×8 shifts (an organisation that would later be made more flexible), appointment of people dedicated to recruiting cybersecurity experts throughout France, creation of a “strategic” crisis unit, etc.
As for the communicators, they are also quick to take action, whether they are communicating internally or with all the company’s stakeholders. “I often quote Cardinal de Retz: ‘Honesty is the greatest virtue’. In a crisis situation, the most important thing is not to lie. Blunt statements like ‘everything is under control’ do not reassure anyone. Without necessarily giving all the facts, you have to explain what’s going on in a very educational way, because your stakeholders don’t necessarily understand your business,” explains Emmanuelle Hervé, director and founder of EH&A Consulting.
Only honest and transparent crisis communication pays off
Lilian Laugerat, former GIGN officer and director of Solace, agrees: “You’re up against a cyber-attacker who doesn’t hesitate to say what he wants to say and who knows your weaknesses. He knows you’re afraid to communicate. So the question is, who’s going to speak first? The answer is simple: it should be you. You have to say what you know, but also what you don’t know, whether there’s a ransom or not, whether you’re going to pay it… In any case, you’ll never be accused of telling the truth”.
Stéphanie Ledoux, director and founder of Alcyconie, adds: “You should only communicate on the basis of proven facts, not assumptions. If you don’t, you have to justify why what you said didn’t happen, which leads to defensive communication and ultra-justification. It’s also important to know who you’re dealing with: what the attacker’s modus operandi is, whether he’s in the habit of distributing stolen data, whether he’s bluffing, whether he’s humorous or cynical… All this information is important for adapting your communication.
What should I do in the event of a data leak?
In the event of a data leak, it is essential to inform the relevant stakeholders. Again, the truth must be told. “Above all, your customers expect you to be transparent. Admittedly, they may not be happy at first, but in the end your approach gives you greater credibility. I have a case of a start-up that was the victim of data exfiltration. We warned their customers on Tuesday. The next day the hackers contacted them. Anticipating things more often than not surprises cyber attackers and gives you more trust with your customers,” notes Lilian Laugerat.
Lying or failing to communicate information as strategic as data exfiltration is a risky gamble that is likely to backfire on the company that is the victim of the cyber attack. “We have a specific case where one of our clients didn’t dare say ‘we don’t know’ about a possible data exfiltration. We were still investigating whether the ransomware had exfiltrated data when our customer changed the ‘we don’t know’ to ‘there was no exfiltration’. The result: two days later, LockBit declared that it had 4 TB of data from this company, which we were then able to verify thanks to the firewall logs,” explains Wandrille Krafft, DFIR Manager and IS Engineer at Lexfo.
Don't neglect the journalists, especially the specialised press.
Another factor to consider is the expertise of journalists who specialise in cybersecurity. “These journalists are often researchers specialising in cybersecurity, so they know where to look for specific information. So they ask more specific questions, and they know very well that depending on the attackers, there is a high probability of a data leak. If you don’t talk to them, or if you avoid sensitive issues, they will be all the more persistent and will point out in their article that you didn’t want to talk about these issues,” says Stéphanie Ledoux.
Transparency also has other benefits: feedback from an organisation that has been the victim of a cyber attack is always useful for other companies. “Immediately, on the spot, the truth that you tell is useful to all your partners, who can trigger their own crisis management plans if necessary. Afterwards, the fact that you can testify and explain what worked or didn’t work in your crisis management is extremely useful for the whole community of companies and cybersecurity players,” adds Wandrille Krafft.
Communicating with employees ... and with the Executive Committee
Finally, we must not forget the internal aspect of communication, first and foremost with employees, most of whom experience a cyber-attack as a real trauma. “When an organisation is cyber attacked, it’s a real earthquake for all employees. Beyond the purely technical aspects of the attack, the psychological and HR impact must be taken into account in crisis management, in a holistic way,” says General Marc Watin-Augouard, founder of the FIC (Forum international de la cybersécurité, renamed Forum InCyber).
“HR follow-up is indeed key in the event of a cyber attack. It’s very important to mobilise HR teams and even occupational medicine, rather than sending them home, to monitor everyone individually and find out how each employee is feeling during the crisis. This also makes it possible to plan back-ups if necessary,” adds Gérôme Billois, cybersecurity and digital trust partner at Wavestone.
Another group that needs to be communicated with is Comex. “When we were attacked in 2020, Emmanuelle Hervé intervened with the CEO of Bouygues Construction to tell him that the crisis would last a long time. It paid off, because on D+4 he told his Comex: ‘Get organised on the sites without IT, it’s going to take a long time’. That took a lot of pressure off us and we were able to manage the downgraded mode more calmly,” recalls Thomas Degardin.
Sometimes a liaison officer needs to be appointed between the IT crisis unit and the strategic crisis unit. “This person spends his or her time translating. On the one hand, he or she provides the Comex with essential information, without jargon, so that senior managers know how the crisis is developing. On the other hand, she receives the strategic priorities from Comex and translates them for the IT crisis unit. This frees up everyone’s time and streamlines communication,” explains Emmanuelle Hervé.
"A rock, a lighthouse, what shall I say, an omniscient person!"
The last word goes to Thomas Degardin, who advises all CISOs to be prepared to become a mixture of rock, lighthouse and all-knowing in the event of a major crisis.
“The rock, because you’ll have to make decisions that are sometimes very structural, such as temporarily blocking 4,000 employees. You are bound to make mistakes. So you have to be very solid. The lighthouse, always with a smile on your face, because that’s a key motivator for all the teams. Omniscient, because you’ll become the apparent ‘expert’ on all the technologies and solutions available. You’ll have to answer dozens of questions, sometimes without knowing whether you’re right or wrong,” concludes the former CISO of Bouygues Construction.
Read Fabrice Deblock’s article on the InCyber News website InCyber News.