As a crisis communications specialist, Jeff Gaunt works alongside companies to plot every imaginable crisis and develop a plan to get through it with minimal damage.
The blueprint looks a little different when that crisis is a cyberattack or data breach.
“In many cases, cybersecurity becomes its own lane,” said Gaunt, a senior director at Grand Rapids-based PR agency Lambert & Co. who also leads the firm’s crisis and reputation management practice. “A company may have a protocol for everything that could go wrong except for cyber, and cyber is handled differently.”
With cyberattacks and data breaches becoming an ever-present threat to companies, business owners find themselves in need of a comprehensive action plan to sort through the fallout. Communication is a key component of those plans.
In his role, Gaunt — who has also spoken on crisis communication at a number of cybersecurity conferences — has worked alongside clients affected by everything from an email phishing attack to the infiltration of advanced malware.
He acknowledged how the response to a cyberattack might deviate from the traditional blueprint of crisis communication.
“Usually when you’re in a crisis or incident, you need to be able to communicate very fast,” Gaunt said. “There is an expectation on the part of the customer or suppliers or business partners that you let them know what’s going on. But with cyberattacks, often there is investigation that needs to take place — sometimes internal, sometimes you’re pulling in third-party cybersecurity experts. But there is a process you need to go through and that takes time.”
As with most other brands of crisis, Gaunt stressed the need for transparent communication that starts with affected stakeholders. In public-facing companies, that means customers.
John Truscott, CEO of Lansing-based strategic communications firm Truscott Rossman, also stressed the importance of communication during and in the aftermath of a cyberattack.
Truscott’s firm is one of the founding entities of the Defeat the Breach coalition, a no-cost cybersecurity preparedness, response, awareness and education initiative that allows companies to deal with a cyberattack, or the threat of one.
“It’s huge — your customers have to know they can trust you and that you’re doing everything you can to honor them and protect them,” Truscott said. “Reputation management becomes crucial. After the fact, it’s how you communicate with people and let them know the action steps that you took, or that you’re implementing new policies and new technology to make sure it doesn’t happen again. People need to know. Otherwise they feel very vulnerable.”
Gathering legal professionals, operational staff and communication specialists together helps to make planning more seamless. When communicating, transparency is important — if not obligatory — by law.
“We’ve handled breaches where identities were stolen or credit card information was compromised,” Truscott said. “You have to let people know so they can notify their credit monitoring service or change passwords — do whatever they need to do as soon as possible.”
Customer-facing businesses and organizations — from a retail establishment to educational institutions — need to start by communicating with clients on how they might be affected.
“This is advice that is pretty universal, but you want to be timely and as transparent as you can be,” said Tim Dye, founder of Grand Rapids-based Dye Communications LLC. “Start by communicating to the affected parties before you make broader statements to other audiences, which includes the media. You don’t want (customers) to be hearing about it from someone else.”
Overcommunication can be a good thing when it comes to spelling out exactly how a customer might be affected and what the company is doing to curb the risk, Dye said.
“What do people do when they get an email that they’ve been hacked? Well, they immediately start Googling all kinds of things to figure out exactly how bad the hack is and start consuming information from reliable and maybe not reliable sources on how bad the situation is,” Dye said.
“They suddenly form, in their minds individually, what is going on. If you have 20,000 people in your data bank, then you have 20,000 interpretations of just how bad this situation is.”
When dealing with customers and other stakeholders, Sabo Public Relations LLC President Mary Ann Sabo maintains a relatively rigid script.
Sabo, who over her PR career has led communications through roughly two dozen cybersecurity incidents, said that messaging should include acknowledgement that something happened, an apology for the mistake, and subsequent affirmation that it will not happen again.
In many instances, companies are legally obligated to send out boilerplate mailings to inform customers that their information may have been compromised.
“If you’ve received one, you know they are not plain language, they are not warm, they are not caring — it’s just this cut-and-dried thing,” Sabo said. “We’ll always take those as a starting point and we’ll try to put ourselves in the shoes of someone that will just be getting this letter.”
For businesses lacking a crisis communication plan for a cyber attack, Lambert’s Gaunt noted that this sort of planning doesn’t have to be time consuming or expensive.
“I think a lot of times companies may think of (crisis planning) as a big investment (that requires) a lot of time and resources,” he said. “Crisis planning can be as simple as sitting around a table and spending 60 minutes saying: ‘What are the bad things that can happen, and if they happen, who should be in the room and who should we talk to?’”