Episode 80: Dos and don'ts: cyber incident crisis communications
LESS CHATTER, MORE MATTER PODCAST | 15 AUGUST 2024
If you haven't heard about the Optus cyber breach, the MediSecure cyber attack or even the St. Vincents ransomware shenanigans - you're about to. And mostly, not for good reason.
In this episode of the Less Chatter, More Matter, podcast we give you some critical strategies for responding to cyber incidents. In fact, we emphasise the importance of preparation and clear communication, highlighting five key tips to navigating your crisis comms prep in lieu of a cyber incident.
We run you through the big dos and don'ts in the comms world, and we give you some malleable tips on getting prepared for the semi-inevitable. In this digital age, are you willing to risk your brand rep?
Join us to find out more!
Links mentioned in this episode:
-
[00:00:00] So you are sitting in front of your laptop, answering your emails, preparing for meetings, and generally minding your own business...
[00:00:07] Then the phone rings. It's the head of your IT department. And they utter those ominous words, I think we might have a problem. Someone has detected a potential breach of your systems. It's not known yet if it's actually occurred and if it has, what's been accessed or even stolen. What would you do as a comms professional in this situation?
[00:00:33] Unfortunately, the instances of cyber attacks and other cyber incidents like mass outages are becoming all too frequent and every single business, no matter the size - is at risk. But how you respond to that incident will speak volumes about your business and will make or break your reputation and trust in your brand. And that's what today's episode is all about.
[00:00:56] [00:01:00] Hi everyone. And welcome to Less Chatter, More Matter, the communications podcast. I'm your host, Mel Loy, and I'm coming to you from Meanjin or Brisbane on Yuggera and Turrbal country. A big thank you to those of you who have reached out to me recently to provide feedback on my fortnightly email, the podcast, LinkedIn content, or template packs, all that feedback helps me improve, but it also shows me all this work is worthwhile.
[00:01:25] So thank you so much. So today's episode, we're going to be tackling one of the biggest risks to every single business on the planet. Cyber incidents. It doesn't matter what your business does, the size of it, or even where you're based. We live in a digital world and that means we're all at risk of digital issues.
[00:01:45] It could be something relatively small, like your business's Facebook page being hacked. I know plenty of small businesses or solopreneurs who have unfortunately had that happen. And it's their primary way of reaching their customers. And selling their products. So [00:02:00] in an instant, they lose access to all of that.
[00:02:02] It's super frustrating, but it can also damage your brand. If the hackers start to use your profile to harass other people or post really inappropriate content. It could also be an incident as large as the Optus outage, which saw 10 million Optus customers lose access to the network they're paying for, or the CyberStrike issue that caused millions of Microsoft users worldwide to lose access to their systems just recently, or even the UnitingCare ransomware attack.
[00:02:30] Now, here's the challenge. As I said, We live in a digital world and we are so reliant on the basic things like emails right through to the more complex things like financial management systems that any issue is going to be a huge challenge these days. But as long as we rely on these systems, and as long as humans with all their beautiful quirks exist, we are going to have issues.
[00:02:52] So the best way to respond when these issues occur is to be prepared in the first place. Here's the thing. [00:03:00] Your customers and stakeholders do not care what caused the issue. They care how you respond. Very few will be thinking, oh damn, those hackers are at it again. Poor you, giant global business. Most will be thinking, giant business, what are you doing to protect my information?
[00:03:18] Now, how you answer that question and many others will play a big part in how well you ride out this storm. So in today's episode, I'm going to share some top do's and don'ts of cyber incident crisis comms, and we'll have a few case studies to draw on as well. But before we get into that, here's the top tip.
[00:03:35] Do not be afraid to call in the help if you need it, especially small businesses have an established relationship with an agency or crisis comms expert so that you can call them at a moment's notice. If need be, you do not have to do this alone. Okay. So the first, Big tip is know who will speak to who and when. This first step is to make sure that you've got a really [00:04:00] great crisis comms plan ready to roll that your key stakeholders are super familiar with those plans and that you've practiced this these scenarios so that you can act quickly if you don't have a crisis comms plan ready.
[00:04:12] You can't act quickly. And when you can't act quickly, you lose control of the narrative and you lose trust. And a big part of that comms plan is who will speak to who and when and in what order. So what I mean by that is who are the key stakeholders you'll need to inform when there's a cyber incident, who in your business will speak to those stakeholders and in what timeframe or schedule or order will they be spoken to.
[00:04:37] So for the bigger companies with the bigger incidents, this could be starting with someone in the federal government, like the relevant minister, as well as cyber crime agencies, state government, other CEOs of competitors, because they could also be at risk and so on. Now, this is something that Optus failed to do well when they were the victims of a massive cyber criminal breach in 2022.
[00:04:59] Now in [00:05:00] that event, you would expect the CEO would be on the phone to the federal cybersecurity minister, ASAP. But apparently she wasn't. And when the minister was on the radio later in the day being interviewed about the incident, she publicly rebuked Optus for their lack of communication. And that did nothing for helping to maintain any trust or confidence in Optus's ability to deal with the hack.
[00:05:23] As part of your planning, you need to get all of your internal stakeholders in a room and figure out who the key external stakeholders are. Who will call them and in what order when an incident occurs. It doesn't even need to be a cyber incident. It could be anything like a big potential financial issue, fraud, natural disaster, et cetera. Just be really clear on that call schedule.
[00:05:44] Okay, the second tip is to be aligned on when you will go public. This one can be challenging because it really comes down to a couple of factors. Firstly, one of the challenges with cyber incidents is that it's not always immediately clear what's happened. [00:06:00] Or the impact of that. So for example, you might get a call saying this potential breach, but it could be a couple of hours before, you know, for sure that a breach has even occurred, what has been accessed.
[00:06:10] If any data has been stolen, what that data is, et cetera, et cetera. So do you go public as soon as there's a potential breach? Or do you wait until you know all the detail or is it somewhere in between? And a lot of this comes down to the second factor, which is your own internal risk appetite and how you balance that with a need to act quickly.
[00:06:31] So people don't find out about the issue through other sources. And again, it's about trying to maintain your reputation and trust in your brand as much as possible. Now, this is where you'll often have tension between the comms folks and the lawyers or the risk or the IT folks. The latter may want to hold off for as long as possible, but our role is to help protect customers and in doing so protect the reputation of the businesses we work for.
[00:06:58] This is a discussion you need to have [00:07:00] before a cyber incident occurs. You will not have time to have this argument when one does happen. So in your crisis comms plan, you should be really clear on what the triggers are for going public. When an incident occurs. Not just a cyber incident. Now we've seen that go really wrong in many incidents.
[00:07:18] So for example, back to Optus, unfortunately, the poster child right now, they had this massive system outage in 2023, which lasted for 12 hours and impacted 10 million phone and internet customers. And it also impacted the ability for people to call emergency services, which they are now being investigated for by the regulator.
[00:07:39] But on that particular day. Back in 2022, or 23 rather, they didn't confirm an issue until two hours after reports had already started circulating on social media. And again, this doesn't help build trust or confidence. Now, even if you don't have all the answers early on, my advice is: Go out [00:08:00] quickly and confirm that you're at least aware of the issue and you're investigating.
[00:08:03] That tells people that you're on top of it at least. Another case study in what not to do is the recent MediSecure breach. So if you don't know about that one, MediSecure was a provider of eScripts to the health industry and they had a huge data breach where 12. 9 million Australians had personal data stolen.
[00:08:22] Now, the incident occurred in late 2023, but they didn't even confirm the theft had occurred until May this year. And until May, they hadn't shared how many people were impacted or even contacted them. So apart from saying far too little, far too late, because they were far too slow to say anything - journalists were able to find out before they had a chance to say anything. And that's because the Federal Government had confirmed that an eScript provider had been subject to a cyber attack. And given there were only two such providers in Australia at the time, it really didn't take a genius to work out who. Here's the [00:09:00] thing: it will always get out.
[00:09:02] It's not a matter of if, but when, and if you're not the one sharing it, someone else will, and they'll put their own spin on it. People remember the first story they hear. That's the primacy effect. You want your story to be the first. Now, just to make matters worse, when MediSecure did eventually release a statement, the date on it was from a few days earlier, which showed they had been sitting on this for a while.
[00:09:26] And here's the kicker. The business is now in administration. There's absolutely no way they'll survive this. So the lesson is say something, say it early and be aligned on the timing. Okay. The third tip when faced with a cyber incident is to keep the information flow going. Now it might be that you don't always have something new to say. And that's okay. Customers just want to know you're on top of things. Even when you don't have much new information to share, you can still use it as an opportunity to give a peek behind the curtains and share what you're doing internally to [00:10:00] investigate. And that will help people understand why potentially it's taking so long for you to get details.
[00:10:04] So for example, you could talk about how many people have been assigned to the incident, the number of systems they're checking, et cetera. And you can do all of that without giving away any confidential or sensitive information. But the point is that again, we really want to maintain trust and confidence in your business.
[00:10:21] So we have to keep showing that you're working really hard to solve the issue. And as soon as you can, give people some tips on what they should be doing personally. So for example, should they be calling their banks and closing credit cards? Should they be changing passwords? Be on the lookout for potential scams, et cetera.
[00:10:39] I mean, imagine you've been told that there's a good chance that your personal medical information has been stolen or your credit card information. Of course you'd be worried. And of course you'd want to know what the business is doing to fix the issue, but also if there's anything you should be doing to prevent any further breaches or your info getting out further.
[00:10:58] Now, a good case study on [00:11:00] what to do is St. Vincent's, which is a hospital operator here in Australia. They were the victims of a cyber attack in late 2023 and immediately released an initial statement. They then provided regular short updates, and a few days later, they were able to provide much more detailed statements.
[00:11:18] And those statements talked through the steps they'd taken, what they had discovered, the fact they were working with federal authorities, and also included a list of FAQs. So basically, they were preempting the questions they were likely to get, and they were getting on the front foot. And they continue to issue these statements and respond to media inquiries over the course of a couple of months.
[00:11:40] Now contrast that with the Optus outage in 2023, where they had one brief update on Twitter and didn't have another until six hours later. It's just not good enough. If you're a person who relied on the Optus network for all your personal and business communication, you'd be pretty peeved that you had no update for six hours.
[00:11:58] And there was also no comment from the [00:12:00] CEO until almost seven hours after the incident started. So the lesson here, not only should you say something quickly, but keep offering regular updates and use it as an opportunity to demonstrate your expertise in managing the situation. Number four, and this is a big one, do not under any circumstances, let lawyers write your comms - either for internal audiences like your staff or external audiences like media and customers.
[00:12:28] Should they check it as subject matter experts? Absolutely. You don't want to land into your business or individuals in legal hot water because of something that you wrote in your comms. But the problem with legal speak is exactly that. It's legal speak. It makes very little sense to most people. And it's often just a way of not admitting responsibility.
[00:12:48] We are talking to humans. So we need to talk like humans. That means clear, plain language. And again, about maintaining trust. If you go out with copy, that's obviously been written by a [00:13:00] lawyer. It will annoy the crap out of people. They will see right through it as well because it won't be genuine or empathetic because it'll sound like a lawyer wrote it.
[00:13:08] No disrespect to lawyers here, you do your job for a reason, but we're talking about maintaining reputation here and keeping people on board. And also people get annoyed if they can't get the clear message straight away. Now it's not just lawyers though, it's technical experts too, who are prone to use words that can actually make things seem almost so much worse or inflammatory or jargon that people like customers just would not understand.
[00:13:32] And nor should they, they're not technical experts. The communication needs to be written with a genuine tone, with empathy and clearly and succinctly state what's happened, what you're doing, what's next, as far as you know. So use language that is audience centered. Now in an example of what not to do, and when it's obvious lawyers have been involved, here's the statement that MediSecure eventually released after they'd already been outed.[00:14:00]
[00:14:00] Okay, it reads: "MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third party vendors.
[00:14:18] MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the Australian Digital Health Agency and the National Cyber Security Coordinator to manage the impacts of the incident.
[00:14:34] MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators. MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time."
[00:14:51] Okay, let's break that down. So it starts with them taking immediate steps to mitigate potential impact on their [00:15:00] systems, not on mitigating impact to the people whose data has been stolen. So it becomes about them. And it's a whole lot of we statements in all of that. It's all about the company. It's actually nothing about the true victims here, which is the 12. 9 million people whose personal medical information has been stolen. Now, speaking of which, there's nothing in that statement that actually apologises to the people impacted by the breach. They try and pass it off onto a third party, making them the cause of it. But at the end of the day, they're the ones who also didn't take the steps to make sure their third parties were doing the right things and secure as well.
[00:15:35] And of course, people expect that MediSecure are the ones that are keeping their data safe. The very least they could have done is say, we are sincerely apologising for this breach occurring. Okay. Yes, the lawyers are going, but you'll admit responsibility. Right, right. There are ways that you can say we're, we're really sorry about the fact that this has happened.
[00:15:54] Right. Um, number three, there is zero empathy or [00:16:00] genuine concern in any of that statement. Number four, that does nothing to allay the fears of the public who have been impacted. Number five, it's obviously written by lawyers. What I really love is that, uh, we, you know, it says MediSecure understands the importance of transparency and will provide further updates.
[00:16:17] If you understood transparency, then why did it take you until May to get this out? So, so much of this is just so wrong. The lesson. Be human in your communication. And while you should seek the review and input of experts, ultimately you are the expert in reputation management. Okay. Number five, the final tip is probably the most important and has been a little bit covered in the previous four.
[00:16:42] And that is keep your customers or employees or end users, whoever it might be. At the centre of your communication. Yes, your business has been terribly disrupted and it might well be because of some criminal activity that you couldn't control, but your end users are the ones who have [00:17:00] absolutely no control on the situation and who trusted you to have the right tools and systems and checks in place to protect their data.
[00:17:07] They are the real victims here. So this means we need to be using language that is empathetic to our customers. We need to focus on what they'll be worried about and what they need to know. Again, in a case study of what not to do during the Optus outage last year, the then CEO, Kelly Bayer Rosemary was being interviewed by media who put to her, this case of a barber in Sydney who couldn't trade because he relied on the Optus network for his EFTPOS transactions. Now, given how very few people carry cash now, particularly in a post COVID era, the barber ended up having to close early for the day and missed out on hundreds of dollars of income. For a small business, that is a big loss, but what the CEO said wasn't particularly helpful.
[00:17:53] So instead of showing empathy, all she said was: "that cutting hair seems like one of the few things you can do without [00:18:00] connectivity." Now, apart from being completely tone deaf, those comments immediately sparked a whole lot of discussion online, particularly among small business owners. So it only made matters worse for her reputation and for the reputation of Optus. And from a communication perspective, that's obviously the complete opposite of what we're trying to achieve when responding to any crisis.
[00:18:23] The lesson? Show empathy, talk about the customer to the customer, and avoid the whole woe is me commentary. Okay, it is time for your episode recap. So, today, we tackled how to respond in the event of a cyber incident, or how not to respond, drawing on a bunch of case studies. I covered five top tips we've learned from these incidents.
[00:18:44] Number one, know who will speak to who and when. In your crisis comms plan, be very clear on who your external stakeholders are who will need to be notified in the incident of a cyber attack or breach or even just any... [00:19:00] disaster, really. Who will call them and in what order those calls will occur. Number two, be aligned internally on when you will go public.
[00:19:10] You want to be the first to tell the story, but you do need to have that discussion with internal stakeholders like your legal and risk teams before an incident like this occurs. In your crisis comms plan, make sure you document what the triggers are for going public. And remember, it always gets out.
[00:19:27] Saying nothing is not an option. Number three, keep the information flowing. One initial statement followed by a tweet six hours later is not enough. Make sure you're offering regular updates to your website. Even if it's just to confirm you are still investigating or to show people what you're doing as part of that investigation. Make sure you're including information for what steps people can take.
[00:19:49] So for example, if they can't access your systems, or if they potentially have personal data stolen, what could they do? Number four, don't let the lawyers write the copy or the [00:20:00] tech heads. You are the expert in reputation management. You should absolutely get those specialists to check your copy to make sure it won't cause any issues down the track and to make sure it's accurate.
[00:20:10] But if those guys get involved, it'll probably be full of technical jargon and it won't say anything, and it's certainly won't be genuine or empathetic. And number five, keep your end users at the centre. Whether that's your employees, your customers, or anyone else, they're the real victims here. They have zero control over the situation.
[00:20:30] All your comms should be focused on them, not you whinging about how hard it is for you. Now, if you'd like to learn more about crisis comms, you are in luck, my friend, my final crisis comms bootcamp is coming up really shortly. It's a one hour webinar once a day for five days, and you will get everything you need to kickstart your crisis comms planning, including a template pack.
[00:20:53] Loads of tips on best practices and case studies to draw from. So this course continues to get really great feedback [00:21:00] every time I run it. So I don't want you to miss out. I will pop the link in the show notes, or you can head to heymelcomms.com.au/workshops. Now, if you're not up for the course, you can always purchase the crisis comms template pack directly from my website.
[00:21:15] As always, stay up to date with all the learning, events, and comms news from around the world by signing up to my fortnightly email. Each edition is packed full of value and is non spammy. It continues to get a really high open rate, about 60 percent each edition, which tells me you're all finding this valuable too.
[00:21:32] So in the meantime, keep doing amazing things and bye for now.