Building Your Cybersecurity Comms Toolkit: Insights from IABC Qld's Webinar

Written By IABC Queensland

In today's fast-paced digital world, communication professionals face an ever-evolving landscape of challenges. A key area of concern is cybersecurity, which presents significant risks to organisations of all sizes. IABC Queensland hosted a webinar with Megan Lane, Director of Strategic Communications at CyberCX, to discuss this vital topic. This article summarises her expert advice on preparing for and responding to a cyber incident, aligning with our shared commitment to supporting and empowering our community of communication professionals.

Understanding the Threats

Megan explained that cyber incidents can come in many forms, and understanding the most common types is the first step in preparation. The most frequent incidents requiring a robust communications response are:

  • Ransomware: This involves a "threat actor" deploying malicious software to encrypt or "lock up" a company's systems, bringing the business to a halt. The goal is a ransom payment in exchange for a decryption key to unlock the systems.

  • Data Theft: This is where a threat actor accesses an environment and steals valuable information to use for extortion. Increasingly, ransomware and data theft are happening together, a tactic known as "double extortion".

  • Denial of Service (DDoS) Attacks: These attacks flood a website or system with traffic, causing it to crash and remain offline. While less common, they are often used by "hacktivists" to draw attention to an organisation.

Megan also noted that threats don't just come from criminal groups; organisations can also face incidents from foreign nation-states or malicious insiders.

The Importance of a Robust Crisis Comms Plan

A common mistake is believing a standard crisis comms plan is sufficient. As Megan highlighted, a cyber incident requires a specific approach. She advises that you shouldn't create a new plan during a crisis, but rather ensure your existing one is robust enough for a cyber-attack.

Here are key considerations for your plan:

  • Don't Rely on Internal Systems: Many plans written during the COVID-19 pandemic assume the use of platforms like Microsoft Teams, but a threat actor may have access to these environments.

  • Establish a Comms Team Early: Cyber incidents often start quietly and escalate. Don't wait for a declared "P1 crisis" to assemble your team. Bringing people together sooner allows you to shape the narrative from the outset.

  • Include a Technical Expert: "Well-meaning but unhelpful" is how Megan describes having a comms person in a room full of technical experts. Instead, your crisis comms team should include a technical person who can translate complex information.

  • Create a Detailed Stakeholder Map: Go beyond a high-level list. Identify all stakeholders and your legal, regulatory, and contractual obligations to each. This allows you to design an enterprise-wide "disclosure waterfall" to ensure everyone is communicated with in the right order.

The First Steps When an Incident Happens

When you get that dreaded call, Megan advises asking, "Who knows?". A senior comms person may be asked to work alone initially as the "circle of trust" is kept small while the technical team assesses the situation.

The next step is to get a thorough briefing on what has happened, what has been done, and where things might be headed. The initial 2-3 days of a cyber incident are the most intense. This is where your preparations will be tested and where you may need to bring in external support from PR or government relations firms for extra bandwidth.

The Principles of Good Cyber Comms

Megan's advice on what "good looks like" is underpinned by foundational principles that will be familiar to any communications professional:

  • Be Factual and Avoid False Comfort: Never lie or describe an incident as "scheduled maintenance". Also, be careful not to provide unhelpful levels of comfort, such as stating "no data has been accessed," if the situation is still evolving.

  • Be the Central Source of Truth: Ensure people hear bad news directly from you. Don't let others speak on your behalf and always "front up" to represent your organisation's narrative.

  • Use Simple Terminology: Your communications should be understandable to everyone. Avoid technical jargon like "brute force attack" or "MFA" without clear, simple explanations. This helps build and maintain trust.

Megan's insights reinforced that while the technical aspects of a cyber-attack are paramount, the communication response is just as critical. By proactively preparing and following these foundational principles, our members can confidently navigate these complex challenges, safeguarding their organisations and reputations.

Note: this article was written with the help of Google Gemini.

IABC Queensland

All about the small but mighty Queensland chapter of IABC (International Association of Business Communicators)!

https://www.iabcqld.com.au
Previous

Navigating the New Era of Mandatory Sustainability Reporting: A Communicator's Guide