Blog

PRSA Philly Hosts Crisis Communication Panel:Protecting your Brand’s Reputation against Cyber Warfare

PRSA Philly Hosts Crisis Communication Panel:Protecting your Brand’s Reputation against Cyber Warfare

PRSA Philadelphia recently convened a blue-ribbon panel to discuss the role of public relations in a global economy under ever-increasing threat of cyberattacks. The panelists offered insights and lessons learned from their personal experiences, and offered best practices to the group. 

The panelists included:

 

Moderator, Greg Matusky, President and founder of Gregory FCA

 

Samantha Kruse - Senior Account Supervisor, Edelman’s Crisis & Risk practice

 

John Ciesla - Vice President and Chief Information Security Officer at Mutual of America

 

Odia Kagan, Attorney at Ballard Spah

 

First and foremost, public relations professionals should be familiar with common types of cyberattacks. Close collaboration with corporate IT, legal and security teams is recommended for communications professionals who need to be prepared for and potentially respond to cyberattacks.

According to the panelists, common methods of cyberattack include:

  •  Data breaches
  •  Malware and ransomware
  •  Financial fraud
  •  Phishing
  •  Session hijacking
  •  Hackers targeting personal records
  • Threats against senior management that could also manifest physically

 

Some of the biggest mistakes observed by the panel include:

  • Lack of internal communication on cyber security and potential breaches
  • Lack of internal crisis simulation and strategy
  • No cyber security crisis communication plan established

 

Plan, plan, plan

Public relations best practices require the establishment of a crisis protocol, including:

  • Convening a multifunctional cyber security team that includes legal, technology, company management and PR
  • Developing a cyberattack crisis plan and chain of command
  • Preparing for cyberattacks through planned drills; fine tuning plans based on weak points exposed during the drills
  • Creating core messaging communications document(s) to respond to different types of crises before they occur
  • Developing good relationships with law enforcement outside of a security event so that they know how your business operates
  • Building relationships with key media beforehand – good will to build up; so that there is an ally when situations may occur
  • Training employees on internal communications practices

 

Work the plan

Following are key steps to take if an attack occurs:

  •   Bring on forensics team to investigate and gather information
  •   Involve law enforcement at an early stage
  •   Time your messaging– needs to be communicated sooner rather than later
  •   Monitor social media
  •   Ensure accuracy of all information on incident
  •   Check facts and obtain legal permissions/consulting before sharing information
  •   Be sure not to put out a story that provides hackers with too much information
  •   Calibrate responses with necessary information that you do have - constantly be prepared to     rework messaging as more information is received
  •   Maintain corporate ethics

 

Communicate early and often

Vital information to share with internal and external stakeholders: What happened?

  •  What are we going to do as a company to resolve this?
  •  How do we prevent this from happening again?
  •  Internal communications team should develop timely response with information obtained from forensics investigation.

 

Employees come first

Communicate first with your employees about any incident as they play dual roles as the front line of defense and company advocate. Ensure rapid and ongoing employee updates from senior leadership; provide a channel for two-way communication from rank-and-file employees up the chain of command. Provide updated and ongoing messages targeted to customers.

Additional key audiences

  • Law enforcement
  • Legal counsel
  • Consumers/customers (without unreasonable delay)
  • Regulators
  • Third parties (Important to have knowledge regarding who you are required to notify beforehand)
  • Media -- Can be used as a conduit to get information out to key audiences

 

Read More