When it comes to a crisis many businesses will have plans and processes in place. The better prepared have them pulled together and logically arranged as a crisis manual. Yet too many still fail to understand the importance of ascribing communications the same crucial role in both the crisis preparedness work they do, and in the functions of a live incident response team.

This may be due to a misunderstanding of what a communications function and strategy means and how it can play as crucial role in managing and mitigating a crisis. For many organisations ‘comms’ is something that is proactive rather than reactive, ‘PR’ that promotes rather than protects. Yet the reality is that from employees and customers to media and regulators, a crisis is defined by the success or otherwise of the communications shared and the response they receive.

The first challenge is knowing when to communicate. Many organisations want to be on the front foot, aiming to ‘own the story’ and be seen as transparent. This may be something easily achieved when the cause, scale and impact of a crisis can be easily ascertained, such as in some industrial incidents. However, in the case of a cyber incident it can often be weeks or months until the scale and nature of what’s happened is clear. The temptation to share information piecemeal must be countered by the harm of encouraging speculation and raising concern – and potential litigation claims – amongst those not actually affected.

Depending on the operational impact which may drive an immediate need to communicate, our advice is often to be patient if possible and let forensics do their work, allowing the incident response team as a whole to gather enough facts to determine whether formal notification is required due to GDPR requirements or contractual obligations an organisation has to its clients. These latter requirements are increasingly burdensome and can require an accelerated timescale, so it is worth checking what these are ahead of any incident and considering possible amends to future terms and conditions following specialist counsel.

But this isn’t to say that communications can take a back seat until the details become known. Internal communication is just as important as external and managing the concerns and gossip that is natural when an organisation is dealing with an issue is key. While you may wish to keep the ‘circle of trust’ small, all those aware of the issue must be given clear message that reassures and emphasises that the situation is under control.

Furthermore, it is important to think about external touchpoints too. Client facing staff may need to explain a situation when emails are down or documents unavailable. Receptionists and other frontline staff may need talking points and escalation guidance and providing everyone with a clear line-to-take when asked by friends and family about what’s happening can help control the narrative and ideally, keep matters confidential.

In recent times, a member of the incident response team may have been able to brief staff in person. Now in a largely remote, or at least hybrid, working world thought must be given to how best to communicate digitally. Even if emails aren’t down written communications may be higher risk, with a greater chance of leakage, so its important to think about how you can communicate personally, such as on an all hands-call, and to consider what the process for managing questions and escalating enquiries will be. Being both considered and timely is one of the core crisis communications challenges, as well as considering resources required.

Of course, despite best efforts, it is often the case that events overtake investigation, such as the leak of data on the dark-web or rumours surfacing from the cyber blog-sphere. To be ready to handle these effectively, organisations need to prepare appropriate holding statements and responses to difficult questions, whilst monitoring social media and being able to react quickly to any unsubstantiated rumours. While there may not be much to say at an early stage, a message that states awareness of an issue and proactive steps being taken will be preferable to ‘no comment’ – which just allows others the space to tell your story.

Finally, it is important to remember that your employees and clients will have other priorities and unless the impact of the cyber incident is catastrophic it won’t necessarily be front of mind. Use this to your advantage by providing reassurance and guidance where needed and proactively focusing on understanding the impact and recovering systems. Be prepared to lean on internal and external support as required.

In taking this approach, try to remember the three Cs of good crisis communication.

1. Command – know your facts and your stakeholders
2. Control – control the narrative, message and channels of communication
3. Counter – address rumour and unsubstantiated claims and focus on

With these considerations front of mind the reputational impact of a cyber attack can be mitigated, helping you get back to business as usual.

Ben Curson, Partner at Kekst

Callum Laidlaw, Director at Kekst