We have previously mentioned how customer trust can take many years to build, but just a matter of minutes to shatter.
Effective communication with staff, stakeholders, customers, and the media is crucial for shaping perception and maintaining trust.
The National Cyber Security Centre (NCSC) has recently published new guidance on effective communications in a cyber incident to support organisations of any size in managing their communications strategy before, during, and after the cyber incident.
The guidance outlines three core principles to follow:
1. Prepare your communications strategy in advance. Effective preparation can lessen the overall impact when an attack occurs:
🔸 Outline roles, responsibilities, and develop communication templates for tested scenarios.
🔸 Identify the key stakeholders that would need to be informed of an incident.
🔸 Understand the communication channels to use and also identify media channels to monitor so you can respond in the event of misinformation.
🔸 Regularly test & review the robustness of the plan.
🔸 Have a Plan B for communication channels in the event a cyberattack disables them. Establish a customer support channel/platform for customers to access.
2. Communicate clearly with different parties, and tailor your messaging where necessary. Communications should address the specific concerns and needs of each key stakeholder group such as staff, customers, the board, and the media, while also ensuring that the core points are consistent across them.
As part of risk management - hold internal meetings and have communication as a standing agenda item. Communication best practice:
🔸 Clear, consistent, timely and transparent.
🔸 Information needs to be accurate.
🔸 Manage expectations and do not understate impact, especially if you are under pressure internally. Retracting a statement later down the line can be harmful to credibility.
🔸 Utilise available support and guidance if you need customers to take action.
🔸 Manage external factors by being careful of accuracy, what you are allowed to share and also if it gets into the wrong hands.
🔸 Develop a Q&A document for the media in the event an incident gets into the public domain.
3. Manage the aftermath in the medium and long term. After the initial shock, recovery can take between days to months or even years. This should be uppermost when putting the communications response together:
🔸 Provide regular updates with milestones and target timescales for a resolution.
🔸 Communicate the latest assessment of the impact.
🔸 Continue to engage with stakeholders, which rebuilds trust.
🔸 Be open with the media and respond in a timely fashion to queries.
🔸 Carry out a lessons learned review and share this with the NCSC to help others deal with an incident in the future.