Manchester United, Stadler Rail, easyJet, and Garmin. These very different organizations have one thing in common. All kinds of organizations face the threat of cyber-attacks, including businesses, universities, hospitals, and governmental infrastructures. And those big names are just the tip of the iceberg of companies affected by cyber-attacks last year. Moreover, the year ended with reports of a severe cyber-attack targeting software made by US tech firm SolarWinds, impacting US government agencies, critical infrastructure and numerous companies.
Cyber-attacks were a well-known anticipated global risk in 2020, yet became even more prevalent as Covid-19 forced organizations to suddenly accelerate their digitization and to rapidly extend ‘home office’ working. An upsurge in cyber-attacks followed. Cyber-security experts even spoke of a global pandemic of phishing attacks as cyber criminals tried to exploit weaknesses as Covid-19 interrupted usual work patterns.
While several well-known names made headlines, many other companies suffered from cyber-attacks, including many small- and medium-sized companies. A report published in December 2020 by ICT Switzerland found that a quarter of Swiss SMEs have already fallen victim to a serious cyber-attack. The report highlighted that “out of the 38,250 or so SMEs throughout Switzerland that have been attacked, around a third (12,930 SMEs) have suffered financial damage and every tenth attack has led to reputational damage and/or loss of customer data.”
Clearly, cyber-security is not only a topic for IT experts. Communicators must also take a lead to prepare their organizations against cyber risks. Ideally, communicators should work together with IT managers in organizations to understand the risks, develop or enhance joint crisis management procedures, and prepare scenario plans for different potential cyber risk situations.
Effective communication management should play a key role in building cyber resilience because cyber-attacks do not only damage an organization’s infrastructure, but also affect its immaterial assets, such as trust and reputation. However, as identified in last year’s European Communication Monitor 2020, only a small minority of communicators are currently involved in building cyber resilience.
The authors Richard Moist and Philipp Bachmann are researching the role of communicators with regard to cyber resilience in small- and medium-sized companies.
Establishing a culture of cyber resilience
Communicators can contribute to multi-departmental and multi-disciplinary resilience as promoted by the common IT cyber approach of ‘Identify, Protect, Detect, Respond, and Recover.’ While involved in handling reactive crisis situations, communicators should be more involved in preparedness, ensuring not only cyber literacy, but also doing their part to foster a culture of cyber resilience through communicating the topic to stakeholders, collaborating closely with IT and others (including management) on crisis preparedness and planning and of course, appropriately communicating on cyber issues or crises (meeting regulatory requirements and safeguarding reputations). They can inform employees and stakeholders how to work securely and how to react in case of doubts.
Updating crisis plans and preparing leaders
Communication professionals should regularly update their crisis communication plans and meet with key stakeholders about how they would respond to a cyber-attack. Indeed, depending on the industry, strict regulations demand comprehensive response plans in which communication cannot be an afterthought. Like with all crisis management planning and preparedness, the best cyber crisis plans are those which are tested and trained, including during training exercises.
Like with other crisis scenarios, dealing with cyber-security risks demands management attention and input. Communicators should prepare leaders for worst case scenarios, encouraging them to get involved in crisis preparedness. They also should ensure that their organizations are ready for the challenges of a possible cyber-attack – from possible ransom demands to frozen systems and potential data breaches bringing imminent threats of General Data Protection Regulation (GDPR) infringements and fines (not to mention the impact of cyber-attacks on an organization’s stakeholders and, of course, on reputations).
Which reminds us, update your passwords! And as recommended by the Global Cyber Alliance, change them to passphrases (if you haven’t already).
Richard Moist is Lecturer at Lucerne University of Applied Sciences and Arts, School of Business, IKM (Institute for Communication and Marketing)