Like a medieval plague, the WannaCry ransomware virus spread quickly and indiscriminately across six continents. In its wake, companies shut down operations, vital services were curtailed, and national politics were thrown into turmoil.
Inevitably, news reports focused on IT professionals scrambling to contain the virus.
But how were marketing and communications pros responding? And if MarCom is your discipline, did a chill go down your spine as the story unfolded?
It should have. After all, a security breach is more than a crisis for IT. It’s also a crisis for the brand—no matter how large or small the company.
An IT security event can wreak havoc with operations, destroy valuable data, erode the trust of customers, and generate concern – even anger – among investors, suppliers and partners. Each of these outcomes creates a harsh marketing and communications challenge.
The best way to minimize the damage? Prepare.
That’s often easier said than done. Most marketing and PR pros have enough to do grappling with the day-to-day. Yet the odds suggest a security breach will hit your company someday. Consider:
- Symantec’s sobering Internet Security Threat Report reveals that 7.1 billion identities have been exposed in data breaches during the past eight years alone. And each year the attacks get more sophisticated and more expensive to resolve.
- A 2015 survey by the National Small Business Association revealed that 63% of US respondents had been hit by a cyberattack during the previous year.
- The UK government reports that “just under half (46%) of all UK businesses identified at least one cyber security breach or attack in the last 12 months,” with nearly 7 in 10 large businesses affected. And while nearly half of small and micro businesses were also hit, 39% had no cyber security in place—mistakenly believing they were too small to be targeted.
If your security is someday compromised, rapidly re-establishing trust is the mission critical task. Here are six actions you can take now to make you more agile when the crisis hits:
- Establish your emergency chain-of-command for communication
Your team will need to make strategic messaging decisions quickly and intelligently. Streamline this process by creating a crisis communications RACI (Responsible, Accountable, Consulted and Informed) plan. Streamline your normal process, perhaps including just the officers of the company, the communications/marketing and IT security professionals, and key board members if applicable. You’re balancing two objectives here: getting your story right, and getting your story out in a timely manner. Managed poorly, those objectives can be at odds with each other.
- Identify your official spokespeople
Determine in advance who has authority to speak on behalf of the company in an emergency—and who does not. You need one coherent narrative coming out of your organization.
News media will sometimes collar any insider, even front-line employees, to get a pithy quote. All of your colleagues—from the CEO to the most recent entry-level hire—need to know who is authorized to speak to the media and who is not. Explain why this is important. And give everyone the language they need to fend off media requests.
- Establish a “Reverse 911” capability to reach your stakeholders directly
Public safety officials in neighborhoods near chemical plants can auto-dial thousands of homes instantly to provide warning in the case of a dire emergency. You need to be prepared to act with similar urgency.
Seriously evaluate how quickly you can connect with your stakeholders—your customers, employees, and investors—as well as anyone else with an interest in your situation. Whether through an email, a letter, your website, or some other means (including through media outlets), set up in advance the measures you’ll take to reach your base with updates. Remember that, in an information vacuum, a false narrative can develop that is worse than the truth.
Your plan may look good on paper, but it needs to be stress-tested. Set aside a block of time with the people involved to walk through a mock scenario at least once a year, or whenever there is a change in leadership. You’ll identify kinks in the process and strengthen your institutional reflexes.
- Understand what threats you face
Your IT professionals are probably more paranoid than they’ve ever been about IT security, and with good reason. There are more threat vectors now than ever. Hacking has become a sophisticated—and thriving— dark industry. There are virtual black markets where sensitive information can be bought and sold like a crate of oranges.
Don’t let MarCom be a weak link in your IT security. Some weak spots might be internal and not obvious, like naive employees who inadvertently fall victim to social engineering and phishing attacks. Consider your vendors, such as advertising and PR agencies, who may have login access to your official social media accounts. The fact is, a social media hack can happen to anyone, even Mark Zuckerberg. Talk to your security expert to make sure your marketing channels are secure and that access is auditable.
- Plan for crisis in your vertical
A security breach at one of your rivals may taint your entire industry. The WannaCry virus hit the National Health Service in the UK so hard that ambulances were diverted and surgeries postponed, creating chaos across the healthcare industry. When credit card information is stolen from one merchant, customers may be more reluctant to purchase from any merchant in that vertical. Gain an understanding of what security and recovery measures your company has in place so that you can reassure your customer base if disaster strikes your industry.
The most important takeaway—get started now. Those of us who live in earthquake country know “the big one” may come in 10 years or 10 minutes. Planning ahead is what defines the difference between managing a crisis and succumbing to one.