Cyberattacks: best practices in crisis communication

Cyberattacks x Crisis Communication

On Thursday 09/09/2021, Stéphanie LEDOUX, CEO of Alcyconie, took part in the round table: “Cyberattacks: best practices in crisis communication”, organised as part of the Forum In Cyber (FIC) 2021, alongside Valéry Marchive (LeMagIT), Christophe Fichet (Dentons) and Guillaume Chéreau (Orange Cyberdéfense).

Couldn’t attend? Here is a summary of Stéphanie LEDOUX’s speech!

In the event of a crisis, when can Alcyconie be mobilized?

The company can be mobilized at any time as part of our 24/7 on-call duty. But we distinguish 3 cases, 3 different temporalities:

• We can be mobilized from the very first moments of the crisis and work together with all the teams to define a real strategy and operational orientations quickly. This solution is obviously the most comfortable and allows for a rapid and efficient operational response. These are often the organizations with which we already collaborate, or companies that are aware that services such as ours, such as those of OCD, exist.
• Some organizations contact us a few hours later, faced with the observation that the situation is escalating, or in the face of growing pressure, whether it is from the media, whether from customers or internally. These customers often contact us on the recommendation of their insurer, a government department or their Incident Response Provider (PRIS).
• The third scenario is the least desirable. We are called later and communication is often already underway. In this situation, we are really responding in firefighter mode. It is necessary to save the furniture, to make up for it.

What is the best profile for a crisis cell pilot?

When faced with a cyber crisis, we very rarely recommend that it is the CISO who steers the crisis. It is a key position in crisis management that has enough to manage at the technical level, with the authorities or with the forensic teams.

The choice of crisis director will depend on the organization, the business skills and the personality of each person. The ideal would be to choose a pragmatic person, able to federate and to be able to act very quickly. This person must also have sufficient internal legitimacy and be able to make decisions. It can be an operations director, a technical director, or an HR director…

Who are your main contacts in the company?

• On the crisis management side, we work closely with the CISOs/CIOs, the DPO, the Executive Committee and the decision-making crisis unit, including a lawyer and a crisis manager.
• As far as communication is concerned, we often operate with a trinomial composed of the CISO, the communicator and the lawyer. This is the best configuration for communicating about these very singular and technical crises that are cyber crises.

What are the first measures you are putting in place in terms of communication?

First of all, it is necessary to mark out 3 aspects:

• What OBLIGATIONS do we have to fulfill? GDPR, specific regulations, contractual obligations…
• What THREAT are we facing: which operators? Is it ransomware? Has this group ever struck? At this stage, we work closely with the CTI (Cyber Threat Intelligence) teams,
• And finally, WHO should we communicate to? We can never say it enough, but the internal is still too often the poor relation of crisis communication.

If there is one principle to remember, it is that you must quickly occupy the field of communication, position yourself as a reliable source. But under no circumstances should you leave headlong, without questioning yourself and without taking a few minutes to take a step back from the situation.

It is strongly recommended to anticipate this part, to map the communication targets before the crisis. This saves time in a degraded situation, reduces stress and cognitive biases that this situation can generate.

Should we be transparent in crisis communication?

Of course, transparency is generally recommended, but transparency should not be confused with “telling it all”. Crisis communication must rhyme with mastery: mastering what you share about the crisis. That is to say, to distil information in coherence with the investigations and the overall management of the crisis. In addition to making sure not to transmit any information to the attackers, as unfortunately still happens.

If we had to keep only one piece of advice to be applied in your field, what would it be?

Prepare as much as possible to erase areas of uncertainty. There will already be a lot of them in crisis and above all break the taboos surrounding cyber crisis communication. It must be seen as one of the dimensions of crisis management, no more, no less. It occupies a strategic place in crisis management but must not take precedence over the management of events.

Keep in mind that you should not say everything but that everything that is said must be proven, sincere and honest!

Want to know more?