In a crisis, social media and networks are increasingly being activated at a very early stage, meaning that information may be disseminated unintentionally. If communication is unclear, customers or partners could get worried. To avoid sending out mixed messages, which is harmful for business, a crisis communication plan can be very useful. This makes it important to designate someone who will be responsible for external communication. All the other individuals will report to this person, in order to maintain consistency of communication.
Internal communication is also very important, not only during a crisis but obviously also upstream. This can be done through drills and simulations. Such training exercises, based on a specific scenario, should be held at least once a year, in a relatively quiet period.
This type of training can be an opportunity to bring in a coach, who will develop the scenario and plan the drill in near real-life conditions. The coach’s role is to ensure that the envisaged solutions are realistic, to attend the drill, and to observe and draw up a report. Improvements can be made on the basis of this document.
The ten commandments of crisis communication during a cyberattack
Excerpt from Raimondo, L. (2022). Les fondamentaux de la gestion de crise cyber. Paris: Ellipses, Chap. 8 on crisis communication.
- Prepare a communication framework in the form of an easy-to-remember diagram. This framework must be created in consultation with the organisation’s service providers and stakeholders. This is one of the keys to success.
- Prepare a plan tailored to the size of the public organisation such as a region, city or commune, or private organisations such as an SME, other company (including a large company), foundation or NGO.
- Do not neglect the type of activity of the organisation which may have to operate in degraded mode. You must therefore define what degraded mode entails.
- Always have basic documents, such as your list of contacts (internal and external services, service providers, etc.), available on a USB key and in a paper version.
- Initiate deliberations on
– the total loss of the IT landscape (replacement, resumption of activities, data loss, etc.);
– the means of communication used if the IT systems are no longer available. - Bear in mind that the main purpose of crisis communication is to allay any concerns and protect the image of the organisation or company.
- Surround yourself with the right people quickly so as not to give in to media pressure.
- The company that is the victim of a crisis due to a cyberattack has a duty to give its version of the problem and to reassure its staff, partners and customers
- Do not communicate for the sake of communicating. Crisis communication must reflect your genuine concern to provide solutions to the current problems.
- One attack may give rise to another: systematic follow-up to a cyberattack is essential.