Cyber breach: not if, but when

Nearly seven in ten large UK businesses experienced a data breach or cyber attack in the past year, according to data released by the government this week. For those running businesses in the UK, breaches are no longer a case of if, but rather of when.

With the average annual cost per company of cyber breaches put at £20,000 – and in some cases running into millions – firms are understandably investing more in security measures to counter the risks. What is less tangible is the reputational damage. Firms are strongly recommended to prepare for both the direct impact of cyber breach and its reputational consequences.

Consider this 10-point checklist for cyber crisis communications preparedness:

1. Build a team

Have a response team of various internal and external players that can be easily assembled in the event of a cyber event. It is vital to ensure each response team member knows their role before a crisis hits. Teams should include a Head of Communications, CMO or COO, Chairman, Head of IT or CIO and firm General Counsel internally, and outside legal counsel, a crisis communications firm, insurer, and possibly more, externally.

2. Perform a risk assessment

Identify and prioritise potential threat scenarios, weaknesses and areas to improve. Alongside the benefit of recognising the potential threats, a risk assessment also allows a firm to catalogue and prioritise the various levels of risk.

3. Identify a range of crisis scenarios

Cyber crises can take multiple forms. Identifying specific possibilities as part of a risk assessment allows for better preparation and response.

4. Prepare a crisis communications plan

Having a tangible and maintainable plan allows for the smooth execution of priorities in the event a crisis does occur. This plan should include all response team member roles and planned strategies for predictable outcomes. It should be shared with all response team members.

5. Run a test

No amount of written preparation can equal the benefits of running a test scenario with response team members. After the test, evaluate what worked best and how the crisis communications plan can be improved.

6. Designate a crisis manager and spokespeople

Designate managers and spokespeople at all regional locations and for all levels of potential crisis. These individuals should be ready for all crisis scenarios and should receive thorough media training.

7. Prepare a checklist

Rather than react to events, get on the offensive by identifying the exact steps necessary to preserve key goals while dealing with a cyber crisis. A prepared checklist should be part of a crisis plan and allow for the quick execution of a crisis response strategy.

8. Prepare communications documents and statements

While not all scenarios can be predicted, many crises can follow from predictable paths. Whether a technical failure or a malicious information security breach, the crisis team should have drafted media statements for both internal and external audiences. Preparation means a quicker response time and allows for identifying key audiences and properly shaping messages.

9. Build and maintain media lists for various jurisdictions

Any crisis that involves interaction with the media requires targeted and well-maintained lists of appropriate media contacts.

10. Have an internal media protocol

In the event of a crisis, who may speak with the media? What information can be shared with employees; and how should they address media inquiries? An internal media protocol will answer these questions and train employees on proper media conduct.