Cyber crisis communication: towards a new paradigm – Cyberun

A real paradigm shift in cyber crisis communication

The growing awareness of cybersecurity and the evolution of cyber threats towards attacks with more visible impacts, along with changes in personal data regulations, have led to a real paradigm shift in cyber crisis communication. This is crystallised in a conflict of timing between:

• the necessary rapid resumption of activities and the time required for investigations,
• notification and communication obligations and the paralysing effect of a cyberattack.

It is characterised by new communication challenges:

• the complexity of conveying simple messages on a highly technical subject,
• the right level of communication to adopt when uncertainty prevails,
• the need to coordinate communication with audiences that have diverse expectations (employees, authorities, media, customers, etc.) while ensuring consistency and credibility.

Cyber risk, which is very much present in corporate strategic management, is also increasingly present in the media landscape. While this paradigm shift brings new constraints (technical, regulatory, communicational) and new user expectations, it also represents an opportunity for organisations capable of making the shift to cyber crisis communication.

What are the foundations of this new crisis communication paradigm?

Emergence of ransomware and visibility of cyberattacks

• The democratisation of ransomware-as-a-service (RaaS) and the explosion of big game hunting have led to a dramatic increase in this modus operandi. These paralysing attacks are often accompanied by data exfiltration and publication for extortion purposes.
• These attacks have transformed the media landscape surrounding cyber crises, which they have made visible through their significant impact on business activity. The number of companies ‘forced’ to communicate has created a collective awareness of the scale of the cyber threat and the multitude and variety of targets involved. They have also provided the basis for the creation of a reference framework for assessing crisis communication: minimising the attack, over-communication, opportunities to highlight resilience, etc.
• Publishing data serves a dual financial purpose for hackers: to sell the published data on the black market and to pressure the company into paying a ransom. By communicating, attackers use media leverage to achieve their goals.
• The impact on business operations (business interruption, data loss, etc.) also necessitates increased communication between the CISO, IT, BCP, HR and other departments. Communicating with employees and business units to keep them informed of the resumption of business requires regular information sharing that is understandable to all.

A collective awareness of personal data and its protection

• Regulatory developments surrounding personal data protection and the resulting notification requirements have led to increased communication on the subject and, once again, to greater visibility of cyberattacks.
• The implementation of the GDPR and user notifications about data leaks have created a virtuous circle, raising public awareness about personal data and its value.
• The notification deadlines are short (72 hours for the CNIL) and also vary from country to country, complicating the task of multinational groups, which must coordinate very quickly to harmonise their response.
• In a media landscape characterised by immediacy (social media, rolling news, etc.), digital investigations take time. It is important to be proactive in order to show that the company is in control and to reassure its stakeholders.
• Lawyers also play an important role in crisis communication. However, translating cybermalicious acts into legal terms and organising the notification of thousands of people within 72 hours is not always a simple task.

Cyberattacks, a topic with high media potential

• Faced with journalists who are aware of and trained in the subject, or even specialised in it, the journalistic approach is no longer limited to transcribing the company’s statements: it is a genuine investigation. While this allows for less one-sided media coverage of cyberattacks, it can be a considerable challenge for communications teams.
• From a niche technical issue, cyberattacks are now part of the collective imagination and consciousness, particularly through the figure of the hacker. Hackers have entered pop culture: adult series such as Mister Robot and The Bureau, but also children’s series, with the release of a cartoon series about a heroine solving cyber investigations, announced by Ubisoft.
• Data is no longer an abstract concept. It directly affects people and can have dramatic consequences. Hospitals cancelling operations and appointments, the vaccination campaign in the Rome region paralysed by ransomware… Concrete, visible impacts with a particularly distressing dimension: people.

How can businesses adapt to these new realities?

Firstly, it is important to break down the taboos surrounding cyber attacks: what the public and stakeholders no longer forgive is not being the victim of a cyber attack, but rather not knowing how to manage it and failing to respond effectively. It is precisely this issue that cyber crisis communication must address. Here are a few tips on how to prepare effectively:

• Prepare communications professionals operationally to meet their transparency obligations while respecting the precautionary principle, enabling them to develop reflexes on subjects that are very different from their everyday issues, ensuring they remain in control of the narrative about their company, and facilitating exchanges with digital investigative journalists.
• Mastering the media favoured by attackers (Twitter, 4chan, etc.) and mapping specialist cyber media will prevent criminals from dominating communications and enable more tactical monitoring.
• Train incident response teams to enable them to identify key information to be communicated to business units and how to do so: overall communication will become more fluid.
• Integrate Cyber Threat Intelligence (CTI) into your cyber crisis communication strategy: analysing the threat and understanding who you are dealing with can help you avoid certain pitfalls, such as firmly denying a data leak when faced with a group of attackers known for publishing such leaks several months after the attack.

The three-pronged approach of preparation, training and coaching is a pragmatic and effective response to the new challenges facing organisations, given that crisis communication planning must be based on specific, concrete scenarios (personal data leaks, disclosure of critical vulnerabilities, etc.), particularly through crisis exercises that provide in-depth training for communication teams.

Article co-written by Claire Juiff and Stéphanie Ledoux, in issue 20 of Cyberun magazine dedicated to Communication.