The recent ‘Wannacry’ ransomware attacks which have hit over 150 countries have the potential to cause lasting damage to the reputations of organisations around the world. Large and small organisations, in the public and private sector have all been apparently targeted in the latest high profile hack.
Cyber-attacks are complex to describe and explain, their perpetrators’ identities usually remain unknown. This means the attention of the media normally comes down to scrutinising the lack of resilience of the organisations which are designed to be there to protect us.
In the most recent attack, it was the UK’s National Health Service’s computer systems that came under scrutiny. Government ministers were called off the general election campaign trail to explain to the public why some systems apparently hadn’t been updated with the latest security capability.
In Germany, the issues were also very visible with information displays on the rail system being corrupted.
Suspicions about the attackers have now moved into the global diplomatic arena. In Russia, the President said his country wasn’t behind the hacks, pointing the finger instead at the US.
Those of us who have worked within government digital organisations will be aware of the work that goes on to resist as many cyber-attacks as possible. But despite the efforts of dedicated experts, there’s no bottomless pit of resource for cyber-security. Long after the immediate technical consequences of any attack have been addressed, the reputational damage to companies, governments and nations can be profound.
This particular ‘Wannacry’ attack is apparently demanding that ransoms are paid by victims. Following the first weekend of the attack, it’s reported that only a few thousand dollars had been handed over. For large organisations, it’s not any financial demands that could cause the greatest impact, but the long term damage to their reputation.
This attack is making today’s headlines and might then quickly fade if its direct impact isn’t too severe. But you can be sure another will come along soon. TalkTalk, MySpace and Yahoo have all suffered high profile hacks in the past few years. No organisation big or small can be 100% sure they won’t be next. But they can help themselves with effective communications planning to limit the impact of any attack.
A plan needs the following three key elements:
- Crisis communications planning – cyber-attacks needs to be treated like any other unplanned disaster so must be part of crisis preparedness. There should be a plan drawn up in terms of messaging and lines-to-take allowing an organisation to be on the front foot from the start of any attack.
- Know who’s in charge – many organisations, the UK government included, don’t have a single spokesperson with accountability for cyber-attack communications. The Prime Minister, Home Secretary and Health Secretary have all given their own statements and interviews over the NHS hack. Governments are of course incredibly complex entities but all organisations need to define a single person to give continuity to media statements and interviews as the crisis unfolds.
- Keep audiences informed – cyber-attacks are different to other crises in that it can take many weeks to establish exactly what the impact of a hack has been. This makes it hard to give advice (for example, whether customers should change passwords or credit card details). Honesty and openness as well as the ability to say ‘we don’t yet know’ are credible options once a crisis unfolds.