Back to basics – From chaos to communication
Updated: Jan 22, 2020
The Travelex ransomware attack which started on New Year’s Eve was truly shocking to watch as it unfolded. I am very sorry for the organisation, its staff, and customers affected, and hope normal business is restored soon.
It would be easy to be critical when you’re on the outside looking in, but that would be unfair when we don’t have the facts. In any case, who can honestly say their plan for a ransomware attack is water-tight and exercised? Your Incident and Communications Teams will be under massive pressure, and initially it will feel chaotic. The key to gaining control is assessing the situation and communicating as soon as practical and sensible.
Last week I recorded a podcast https://www.thebcpcast.com/ with James Watts of Databarracks https://www.databarracks.com and we discussed the question of what important activities an organisation could undertake to improve their resilience to serious disruption, such as ransomware attack.
One of the key actions I covered is the communications strategy and plan.
Communication is the first and most important thing you do in any incident. It is a complex subject which is worthy of in-depth exploration, but here are some quick pointers:
Make sure you have an approved incident communications plan, which is separate, but annexed, to your main incident response plan
The communications plan must include a ‘holding’ statement, which is a general statement to be used whilst the situation is being investigated. Make sure it includes a line to say that a fuller statement will be issued when facts are known.
Communication to your customers and stakeholders will be a top priority, but don’t forget the staff! A few years ago, I heard of a company who had an incident and set up a customer helpline. Unfortunately, it was inundated with calls from staff, who rang it because it was the only place they could find out any reliable information about the incident!
Make sure that the messaging – both internal and external, makes it clear that senior management are owning and controlling the incident. There should be no hint of blaming anyone else, or making out things aren’t as bad as they really are. If some information or facts are not yet clear, say so! Honesty and transparency are vital, as is sensitivity to those affected.
Social media must both be controlled; else it will control you! Within seconds of your incident, the event could find its way on to multiple social media platforms. It’s hard to stop this juggernaut, but the Comms team must be pushing out official approved company messages, as well as monitoring for and countering any ‘unofficial’ messages – including from your own staff*. There are tools to help you do this. One example is Hootsuite, but there are others.
*It is a fact that your own staff might use social media to tell their friends what’s going on – and if you don’t give them a clear update, they will speculate. They may be doing it out of naivety or frustration, but they could cause untold reputation damage, and undermine the incident team. It’s important that staff are included in Business Continuity training, and understand the rules about the use of social media within the organisation. Some organisations have a policy which makes inappropriate use of social media in relation to the organisation a disciplinary offence.
Plan ahead for how you will communicate if IT systems have failed or are compromised. Here are some thoughts:
Make sure a copy of contact details for *all key contacts are quickly available off-line or outside your environment. This might take the form of a cloud-based database back up (which is test restored regularly!), use of specialist software, or cloud-based email or communication tools.
*This includes staff, customers, partners, stake holders, and anyone who can support or advise you during the incident, such as Insurance companies or 3rd party support teams.
If loss of your own systems means you can’t send messages yourself, ask for help from a trusted partner or supplier to do it on your behalf, making it clear in the wording that it’s a collaboration due to the current exceptional circumstances. (But note the last GDPR point).
Internally with staff, make sure you have a communications process which includes multiple different methods of delivery (including old fashioned floor walking if necessary), and use of personal mobile numbers if staff have given their permission. There are many software tools on the market for rapid communication, and whilst some are more suitable for large global organisations, some are geared towards SMEs in terms of affordability and implementation.
Your communications process must also include a channel for staff to escalate upwards urgently if needed, and to bring matters to your attention or raise questions and concerns. Again, there needs to be a way of doing this when your usual 'bau' systems are unavailable.
When planning your incident communications strategy, check out the GDPR implications if you are backing up or holding data off site. GDPR doesn’t stop you, but you need to make sure your data is secure, and is being handled appropriately and safely.
It goes without saying that incident communications response must be rehearsed and tested regularly.
Remember: if you leave any gap in your communications, someone else will fill it for you, and it will be with information which is probably inaccurate. No matter how hard your incident team are working, if to the outside world you appear to have lost control, then you have lost control.