Communicating effectively in the aftermath of a cybercrisis

When a company suffers a cyberattack, there is always a period of shock, which leads to the following questions: should we communicate when we are not yet fully aware of all the implications of the crisis? Or should we stall, dodge or remain silent, lest we make the crisis worse? How forthcoming should we be in sharing information? While there is no single cure-all for a cyberattack, there are general guidelines for how to communicate in a crisis.

Silence accelerates crises

Silence or cover-ups are often the first temptations when a crisis occurs. Fear of damaging the company’s reputation, fear that hackers will retaliate in some major way, fear of scaring employees and customers, fear of admitting weaknesses: there are plenty of reasons to try to stay under the media radar.

While it may seem counterintuitive, discretion and silence can be powerful crisis accelerators. Saying nothing makes stakeholders suspicious, with the risk that some may speak out about the situation and cloud their understanding of the facts.

Openness is key

In March 2019, Norsk Hydro, the Norwegian aluminium and renewable energy company, was hit by a ransomware attack that paralysed almost 3,000 servers and computers at several production sites. Far from trying to hide, the company decided to publicly announce the cyberattack the very next day. They created a page on their website with information on the event to serve as both a point of contact to track infrastructure restoration work and to gather stakeholders’ questions to keep them informed of the circumstances of the attack.

Despite the tens of millions of dollars in business lost due to the ransomware, the company’s openness was widely praised by the public, to the point that it is now considered a case study for crisis communications experts. Despite the severity of the ransomware’s impact, Norsk Hydro’s share price didn’t fall, and its reputation was largely preserved. Moreover, by cooperating with Norway’s cybersecurity authorities, the company helped prevent other attacks on companies by the same virus.

Communication isn’t optional

Although some companies may still be reluctant to inform their stakeholders despite the example from Norway, it is worth noting that there are regulations in place regarding cyberattacks. In France, the government has defined two categories of businesses considered critical to the country. The first covers operators of vital importance whose activities are essential to the country’s survival or hazardous to the public. The second category covers essential service operators who depend on computer networks or information systems whose disruption would have a significant impact on the functioning of the economy or society. All of these are subject to a strict communication protocol.

Other laws also require companies to communicate with the relevant authorities about cyberattacks. For example, Article 33 of the GDPR requires a company that has suffered a cyberattack to inform the authorities (in this case, ANSSI) no later than 72 hours after discovering the incident. Article 34 of the GDPR also requires these companies to inform data subjects of any data leaks or thefts.

Actively monitor the situation

Once the cyberattack has been publicly announced, companies are strongly advised to set up a powerful media and social network monitoring system and, in certain cases, to enlist the help of experts to infiltrate the darknet. The aim of such an approach is to help the company anticipate or curb any statements that could reignite or exacerbate the current crisis.

Communications with customers and suppliers is another sensitive aspect that you should monitor in case any of them have had their own IT systems jeopardised or their data stolen or compromised. This point is particularly crucial because customers who are misinformed or uninformed may decide to vent their frustration. This happened to OVHcloud when their Strasbourg data centre suffered a fire in March 2021.

Learning lessons

When the crisis is over, it is common to want to forget about it and get back to a reassuring everyday routine. This is a serious mistake. Cyberattacks are not harmless for companies, even when they are over. They demand introspection to arrive at a comprehensive analysis of what happened, take the necessary corrective measures and announce them to all the stakeholders.

Saint-Gobain is an exemplary case of a company that took the time to share its experience following the gigantic NotPetya ransomware attack in June 2017. Tens of thousands of computers and servers throughout the group were infected and rendered inoperable. This resulted in a loss of 220 million euros in turnover. The French company learned the lessons from this crisis and remedied it with corrective actions that were explained to employees and customers. A crisis with the appropriate communication is also an opportunity for change and improvement.