3 Best Practices for Crisis Management During a Cyberattack

5-21-15-TM

When crisis strikes, it’s human nature to panic under the crush of wholly unpleasant emotions. Think disbelief, fear, anger and guilt, with some exhaustion tossed into the mix. Our equilibrium is thrown out of balance, and oftentimes our sense of what is right and wrong is upended along with it.

Companies around the world now face new and complex crises—things like cyberattacks, phishing and hacking—that can pose enormous threats to safety, reputation and profitability. Damage to a brand is pretty much guaranteed to happen when a company is not prepared with robust business continuity and crisis communications plans. There are now more than 80 to 90 million cybersecurity events each year, costing the global economy $575 billion in 2014. It is predicted that the number of cyberattacks will only grow from here, and with it the concern felt by the general public.

Charles Barber of The Economist
Charles Barber of The Economist

This is something I’ve experienced firsthand in my work with The Economist. At The Economist, we are well prepared for these types of crisis events, and have established a crisis management framework of how we tackle issues head on. We refer to our methodology as SIADI, which stands for items on the standard meeting agenda: Situation, Impact, Actions, Decisions, and Issues.  By reviewing this information iteratively each time the crisis team meets, we are able to adjust our response as new and better information becomes available.

This came into action when we had a particularly spooky incident Halloween last year; our third-party analytics service was hacked, potentially exposing millions of our website’s users to malware. Though the security breach was discovered within five minutes, it took 83 minutes to halt, after which we turned to the following best practices to respond swiftly and thoughtfully. It turned out that a very small number of customers was affected. We received less than half a dozen customer enquiries.

1. Understand what happened before taking action.

To gain both a full understanding of the breach and third-party credibility, we worked with a specialist company that conducted an analysis of the malware. Only once we had detailed information were we ready to issue a statement to our users. Taking this pause helped us avoid unnecessarily alarming our customers without having a solution for them. This also gave us time to equip our key crisis staff and our customer service team with FAQ for media and internal parties. It is key to ensure frontline staff is fully equipped to handle incoming enquiries.

In the day or two after a crisis, it can be difficult to pinpoint what went wrong where, and it’s important to stay calm and rational while assessing the issue and agreeing upon an approach. Third-party software used on Economist.com was hacked last year. As well as making sure the breach had been sealed one of our first tasks was to identify what, if any, information the hackers had acquired and how many of our customers were impacted, in order to finesse our crisis communications plan to suit this situation. Fortunately, we didn’t have to start from scratch, as we had a framework in place to deal with these types of issues, which I recommend all communications professionals and companies institute as well.

Once we had access to all of this information, we knew exactly what we were dealing with and how to tweak our framework. We had tested the fixes we were advising our customers to implement to ensure they were true fixes. Not doing so is very likely to worsen the crises, attract negative coverage and worst of all, damage your relationship with your customers.

2. Transparency is always the right answer.

Businesses have a duty to care for their customers; it is critical for customers to trust a brand for it to maintain its reputation. Warren Buffet was correct when he said: “"It takes 20 years to build a reputation and five minutes to ruin it.”

During a crisis—and at all times—it is important to be authentic and truthful, especially in the age of the 24-hour news cycle in which journalists update articles minute by minute. The Economist is guided by an ethos of ethical and moral business integrity. We felt that making a public statement about the third party was the right thing to do—both in general and for our company. To communicate the breach to Economist users, we drafted statements for our website, for media and for our customer service team. The message was informative—here’s what happened and here are the necessary steps to find and remove the malware if you think you may have been affected—and it was reassuring.

3. Don’t neglect your reputation.

The Economist has a treasured loyal base of customers. With the goal to safeguard our reputation without needlessly inserting ourselves into conversations or starting new ones, we conducted both proactive and reactive media outreach in the wake of the cyberattack. Along with monitoring the media and social media conversations around the hack, we issued our prepared statement and corrections as necessary. To all of our concerned users, we gave direct and personal assistance, offering up the names and phone numbers of dedicated customer service contacts around the world. Plus, by reaching out personally to reporters, we further established that we took the breach very seriously and were effectively managing it. As one media outlet wrote about the breach, “The damage appears to be limited.” Within a week, it was all over.

Charles Barber is vice president, PR and thought leadership, for The Economist. Stay in touch on Twitter: @CharlesSBarber.