Cyber Resilience: The Must-Have Skill for Communicators

Data from the European Communications Monitor 2020 shows that more than half of organizations reported that they have been at least once a victim of a cyber attack — and COVID-19 made cybersecurity matters worse, far worse. The fallout can be disastrous in terms of legal consequences and economic costs. In 2020, the immediate cost of a single cyber attack averaged $4M. New research indicates that there is also substantial long-tail cost hitting organizations two years after the incident. There might also be a human cost as 2020 saw the first case of a woman dying as a consequence of a ransomware attack on a German hospital.

Then there is the reputational damage with about 40% of companies reporting negative customer experiences and reputation loss following an incident. Take the example of the hotel chain Marriott: In late 2018, more than 500 million customer records were exposed, and whilst global media coverage exploded as a direct consequence, sentiment towards the company turned from positive to negative. By early 2019, costs related to the incident were at $28 million.

It’s no surprise, therefore, that communicators are called in to help manage the situation. Typically, they are taking the lead in terms of communicating with internal and external stakeholders whilst employing standard crisis communication practices.

There are established best practices as a response to cybercrime incidents. But, most efforts do not succeed and some may even cause further damage:

• Lack of awareness—Many communicators are not aware of cybercrime and some deliberately choose to ignore it. In ‘it can’t happen here’-style, many assume they won’t be affected arguing that their organization is not big enough. True, but this is changing as small and medium-sized businesses are now at the center of cybercriminals’ sweet spot. Simply put, today, every organization in every industry is a target;

• Lack of skills—Many communicators don’t understand cybercrime and are unable to discuss it. Case in point, many don’t know the terminology—think of terms such as ‘spoofing, whitehat hackers or zombies’ as examples. On the corporate communication side, typical mistakes include saying too much or too little too soon or too late, tone-deaf C-level executives, or social media missteps. While technologies offer support, it is an organization’s workforce, including communicators, that are key in causing, preventing, and managing cybercrime incidents;

• Lack of data—As for their experience with media monitoring, social intelligence, and audience research, communicators are experts in scanning environments for relevant (data) signals. That doesn’t apply, however, to threat intelligence which includes scanning a major source of cybercrime, the Dark Web, for risks;

• Lack of tools—Today’s marketing and PR technology stacks don’t offer any such solutions. There is a growing list of threat intelligence providers but their offerings are not geared toward the needs of communicators.

Despite all of this, communicators can take a leading role in safeguarding their organizations, colleagues, executives, brands, and reputations from cybercrime. That’s why they need to master a new skill: cyber resilience. Cyber resilience is often referred to as an entity’s ability to continuously deliver the intended outcome, despite adverse cyber events. [1] Matt Torrens, COO at Sprout Technologies, goes further by adding that “a true cyber resilience approach blends protection, detection, response and recovery to form an organization-wide, collaborative strategy.”

Both definitions fall short in a number of areas though, most notably on the dimensions of incident prevention and an individual’s accountability. So, cyber resilience refers to the combined ability of an organization, its affiliated individuals, and partners, to develop and implement a holistic approach to preventing, preparing for, responding to, and recovering from a cyber incident. [2][3]

So, how do you develop a cyber resilience strategy and the required skills? Consider these elements:

• Prevention—The key is to constantly monitor and communicate organizations’ risk exposure. By scanning the Dark Web for relevant signals, such as a brewing attack, risks can be identified and assessed. Interpreting conversations on so-called paste sites, marketplaces, or chat rooms, requires an upskilling since the media structure of the Dark Web, the lingo used and actors’ behavior differ fundamentally from other parts of the Internet. By understanding the vulnerability landscape, communicators can help develop and implement a communication plan, in close collaboration, for example, with HR, Digital Security, and Internal Communication teams. That way, all employees are aware and know what behavior and practices are safe;

• Preparation—There are many different cyber threats such as birthday attacks, Dark PR or Disinformation-as-a-Service (DaaS) campaigns. Organizations will need effective crisis communication plans: Be prepared and have answers ready to questions such as ‘Who will be part of the crisis team responding to the incident? How quickly will you inform your various publics and in what order? How do you secure communication when essential systems are down, such as email? And, how do you visibly demonstrate your commitment to protecting your stakeholders? To check the effectiveness of their crisis plans, organizations should regularly benchmark plans, train employees, and also run simulations;

• Response—Actual breaches need to be identified as quickly as possible. The response capabilities will be determined to a large degree by the access to and quality of your incident-related data. Regular internal “what do we know and what does it mean” sessions will help establish the facts and understand implications across corporate functions. Data from these digital forensics-driven activities will be key in communicating effectively and transparently post-incident (‘we were attacked by XX and have taken XX measures to secure XX’) and are therefore instrumental in terms of re-establishing trust with all relevant publics;

• Recovery—Moving on from a cyber incident is not easy. Reputation repair is key in this phase which will largely be driven by credibly communicating to all audiences what steps will be undertaken to avoid similar incidents in the future. Proactively plan narratives that resonate with the target publics — this will help avoid prolonged brand damage and loss of trust. Sharing learnings from the incident and how to prevent attacks should be part of the communication tactics.

Developing effective cyber resilience is key for communicators given the explosive growth of the number and quality of attacks. Only communication professionals with access to forensic, incident-related data and tools will be able to implement successful prevention, crisis, and recovery plans.