Crisis Management: Why it is important in a cyber-attack

    High profile cyber-attacks are becoming increasingly common, and if you or your business fall victim, how you manage the crisis can make or break your reputation.

    Following the very high-profile Optus and Medibank data breaches, and amid reports of cybercrime being made every seven (7) minutes, the risk to businesses has never been clearer.

    Crisis management limits potential reputational damage, financial loss, and liability. With the Australian Government reviewing how it will respond to cyber-attacks, it’s time to consider the importance of effective crisis management and media training should you become a victim.


    Lessons learnt from the Optus cyber-attack

    In 2022, Optus was hit by a cyber-attack that saw the data of almost 10 million customers comprised. It was one of the most significant data breaches in Australian history.

    Optus’ response to its crisis drew immense criticism from the government, media, and, most importantly, its customers.

    From the start, Optus lacked transparency. It took them four days from the announcement of the breach to notify customers, and even then, it was through a generic email. Optus management also didn’t tell customers Medicare details were among the exposed data and mislabelled the attack as ‘sophisticated’ when it was a basic security breach.

    Optus’ spokespeople were unprepared, lacked consistent messaging, showed no empathy, and they played the victim to avoid giving an adequate apology.

    Customers were understandably frustrated at the lack of information they were receiving from Optus despite their personal data being at risk. Some customers only found out about the breach through the news.

    So, what can we learn from Optus’ mistakes?

    • Be ready with a Crisis Management Plan
    • Have key spokespeople Media Trained
    • And have pre-existing messaging prepared so you can respond quickly and with empathy should something go wrong.

    3 phases of effective crisis management

    You’ve just been alerted your business has been hit by a cyber-attack and the data of your customers is compromised – what do you do? Who are you going to tell and what will you say?

    When communicating in any crisis, there are three essential points: acknowledge, action, and update.

    1.    Acknowledge

    Let your stakeholders know when a crisis has occurred. In a cyber-attack, personal data is usually at risk, making your customers vulnerable, so it’s crucial to communicate as soon as possible and from a place of empathy and honesty.

    Adoni Media Managing Director and former senior journalist Leisa Goddard says you can’t underestimate the importance of a quick response.

    “If you want to be in control, you only have 20 minutes after a crisis hits to respond,” Ms Goddard said.

    “The longer you are silent, the more you lose the ability to control the narrative. You need to be forthcoming to help explain the situation and show stakeholders what you are doing.”

    2.    Action

    Let your stakeholders know what you’re doing, or what you’re going to do, to rectify the situation. A Crisis Management Plan will help you know what steps you’re likely to take in crisis situations and how you will communicate to your customers, shareholders, stakeholders, and the community.

    3.    Update

    Keeping stakeholders updated goes a long way to positioning your company as transparent and trustworthy. Everyone makes mistakes – if you hide or downplay them, you’ll expose your business or organisation to even more media scrutiny and consumer anger.

    Fear is driven by the unknown, so regular updates serve to reassure stakeholders and make them feel informed as to what steps are being taken to mitigate the crisis. A list of important stakeholders to contact should be part of your crisis management plan.

    What is a Crisis Management Plan?

    You might not be able to prevent a crisis, but you can learn and prepare how to manage one should it occur. A key component in navigating a crisis is having a Crisis Management Plan.

    When a crisis hits, people may panic and forget what to do. Your plan guides staff and stakeholders on what to do, how to act, and what to say – all of which will lessen potential reputational damage.

    In your plan, detail your main spokespeople and key messages for internal and external audiences, and develop holding statements for likely crisis scenarios. It’s vital you use consistent language to avoid any confusion and to stay on message.

    This includes communication strategies for EDMs, social media, website statements, media releases, and other communication channels relevant to your business.

    In a cyber crisis, familiarise customers with your privacy policy and how you manage their data – this should already be on your website, and would be beneficial to distribute through your social media channels.

    Having a plan in place also means you can consult your legal team ahead of a crisis to ensure you’re communicating effectively without admitting liability.

    You can find examples of crisis management plans here.

    The importance of media training

    In a crisis, you’ll likely to be exposed to more media scrutiny than ever before, and you’ll need to be prepared to face tough questions from journalists. As we saw with Optus, the way a spokesperson responds in a crisis can radically change how your business is perceived, and in some cases, whether it survives.

    A good spokesperson will know how to navigate the media and stick to key messages without appearing as if they’re caught off-guard or are robotic.

    “An effective spokesperson needs to be authentic, empathetic, and authoritative. They need to be able to perform under pressure to deliver key messages clearly and concisely while engaging the audience,” Ms Goddard said.

    Media training sets up your spokesperson for success by giving them the confidence and practice they need to face the media.

    The only way to successfully manage a crisis is to prepare for it. Train your spokespeople, have a management plan ready, and be honest and transparent if something goes wrong.

    To learn more about how to best prepare your business to respond to a cyber crisis, contact Adoni Media’s crisis management and media training experts for a consultation.