Cyber attacks and crisis communications – planning for the big one
By Tom Mueller
Business continuity planning has always been an important part of crisis planning, albeit not a very sexy one. The time and energy invested in BC planning was mostly about setting up alternative office space, work stations, phone lines – all tying back to the company’s main operating systems and network. It was an infrastructure conversation about alternative physical infrastructure should your building suffer a fire or be in the path of a major hurricane.
But the threat of cyber attacks is changing the game, and putting communication leaders in the position of rethinking what business continuity means in this new threat environment.
In a number of recent cyber attacks, large firms lost entire communications systems – phone systems, intranet, email – and were left scrambling for alternative communication tools to keep the information flowing. These systems outages halted companies’ ability to take orders, to track orders, to deliver goods and to communicate with employees and customers. In some cases, competitors swooped in to pick up those customers, potentially resulting in a long term loss of business for affected firms. Commercial impacts from malware / ransomware attacks in 2017 have been significant.
So, what’s your plan?
These real-life incidents beg the question: what is your backup plan if your email system goes down? And if your intranet goes along with it? Or if your company laptops all suddenly go belly-up with a ransomware attack? How will you access your contacts, crisis plans and other data that live on that Sharepoint site? How will you get updates and instructions to your employees without those tools? And more fundamentally, how will you print documents if your networked printers are no longer networked?
Keep it simple?
Given the pace of change in the tech industry and the number of new tools and technologies coming into the marketplace, keeping up with evolving options can be a full-time job – so let’s start with simple.
I would default to the simplest solution to maintain employee lines of communication – by going where staff already are: messaging apps. You needn’t build a parallel network in the immediate aftermath of an attack; your priority should be tapping in to these existing (albeit informal) lines of communication. I’ve found that many teams use messaging apps informally in their businesses today – to share personal notes or just build camaraderie within the team. Whatsapp as a popular app in many countries, and of course WeChat is your likely choice in China; both are powerful communication tools that can be leveraged in a crisis.
Scaling up app use in a particular business or geography may be as simple as your local employees downloading the app.
Linking headquarters to the field
First, however, you need to get your crisis messaging/instructions out to the field and in the hands of your communications teams. If you’re a communications manager sitting at headquarters, how do you do that when your intranet is down, email is out, and your laptop has been compromised?
You could turn to your phone. Notification/crisis apps such as Send Word Now or Rock Dove’s In Case of Crisis offer push notifications and are evolving to offer greater capability to transmit longer messages and even convene conference calls. Some countries don’t allow use of those services, though, so you may need more than one tool.
You might also stand up a private crisis website where you post employee communications and offer a secure venue for two-way communication with staff around the evolving situation. This site must be hosted outside of your regular corporate network. You provide password-protected access to your key communication and business leads around the world, who can then access updates and cascade the information using their local app channel or other tools. The Response Group’s Jetty crisis website tool offers this capability, along with SMS texting, and a robust inquiry-management capability that could be used to track and respond to internal questions from across the company.
Backup email
Replacing your crashed email system doesn’t have to be that difficult either. You could rely on employee personal email addresses in the near term to keep information flowing. That only works if you have your employees’ personal email addresses in a secure location outside of your now-compromised network. Or you could set up a parallel email system on a major platform like Google or Yahoo, and use those to share information. Google’s GSuite offers email using a customized domain address (your company name) for $5 per user per month. You could create parallel email addresses for critical staff there. And there are other tools out there as well. Whichever option you choose, though, your staff have to remember how to access it when needed. That means engaging them in regular training and crisis exercises.
Just for fun
Here’s an interesting way to engage your staff around this discussion – host a crisis exercise where no company laptop or network access is permitted. Then watch people get creative digging up information, preparing written communications, and trying to print documents.
The point is, you don’t want to be figuring all of this out during a crisis. You need to have a crisis communications plan in place and tested periodically. Your communications function should have a business continuity plan, and procedures for managing communications in a cyber outage should be part of it.
Tom Mueller is a crisis communications and training professional working in the energy industry.