The success or failure of managing communication around a data breach or cyber attack hinges on preparation in advance and the time taken to respond.

Research released in July 2019 by cyber security firm, Security In Depth, indicated that more than 80% of Australian companies do not have an incident response plan in place for a data breach, despite the risk of a breach increasing steadily. The research also revealed that the number of reported cyber attacks and data breaches in Australia between 31 July 2018 and 31 July 2019 increased more than 700%.

A business that is adequately prepared with a four-step data breach response plan (contain, assess, notify and review) overlaid with a breach communication plan is better able to spring into action, with a good chance of taking control of issues and communication around an incident the moment it occurs. This is particularly important for incidents such as a cyber attack, which can occur suddenly and dramatically, without any warning.

The fact so few companies are prepared in Australia seems incredible for two reasons. First, many companies do not have a choice about whether to communicate after a cyber attack. If they are covered by the Privacy Act 1988 and they lose data belonging to individuals they are required to report it to Office of the Australian Information Commissioner and may be required to inform affected individuals and customers.

Second, badly handling a cyber attack can be fatal for a business. According to the Security In Depth research, 60% of small businesses that experience a major cyber incident close down within six months.

Key tips around data breach and cyber attack communications

Besides speed of response and getting ahead of the story, here are a few other tips that can contribute to a successful communications response to a cyber attack or data breach.

  • Not relying on a traditional crisis communication plan. Many companies make the mistake of thinking that their existing crisis communication plan, designed to cover events such as fire and other natural disasters, will adequately cover data breaches and cyber attacks. The communication management of IT system breaches and attacks is much more complex than that of natural disasters and requires its own response plan to cover the multitude of scenarios. These breaches also typically occur over much longer periods of time than natural disasters.
  • Continuous communication is vital to successful communication management of data breaches and cyber attacks. It is crucial to regularly update stakeholders as information comes to hand. As well as easing their worry, this communicates that you are in control of the situation and working towards a resolution. Explain in a logical and methodical manner how you are going to fix the situation. Remember that during the initial phase, your stakeholders will want to hear more about how you are going to resolve the problem rather than receive a treatise on how it occurred.
  • Don’t forget to update your staff. It is very likely that they will need reassurance in the event of a data breach or cyber attack given that your company is likely to hold sensitive data relating to them such as their address, bank details, salary and work history. However, staff should only be provided with the information that is directly relevant to them. Transparency is important but caution should be exercised when communicating with staff. Over-sharing information increases the risk that sensitive details will be shared on social media, making the situation considerably more difficult to manage.
  • Consult experts in the field. The sheer complexity of managing communications around a cyber attack means that it makes sense to consult experts in developing best-practice data breach and cyber attack communication plans. Contact FCR’s experienced communications consulting team to help your company create a comprehensive and effective cyber attack response plan. Remember, a data breach is a business problem, not just an IT problem.

Like this article? You might also be interested in our earlier post, ‘Are you ready for a cyber-attack?’