A. Define the information to be shared
A BCP must set out not only what type of information will be communicated and to whom, but also how it will be delivered. The issue of communication deadlines is also very important and can be determined upstream, when setting out the BCP. Finally, choosing the right person to communicate is essential.
B. Internal communication
In any organisation during a period of crisis, employees will wonder what is happening, what the impact of the crisis will be for them, what attitude they should take, and so on. This means that it is crucial to provide them with useful and specific information.
There is a series of cases where the nature of the activity can lead to particular repercussions in the event of a crisis. For these critical infrastructures, the head of legal services must be informed very quickly of the impacts of the crisis.
Another strategic area in terms of communication is reception. The people who work there are often the main point of contact for individuals and entities from outside the company. If there are calls from outside the organisation about the ongoing crisis, communicating with reception staff as to what they should say is crucial. Otherwise, someone working in reception could find themselves at a loss, perhaps panicking or even making things up or communicating information they should not.
C. External communication
Today, social media and networks are becoming ever more reactive. In a crisis, depending on the company concerned, it is quite possible that content (articles, tweets, etc.) about the current crisis will emerge and potentially cause harm. It is therefore important to regain control, at the least by communicating widely that the organisation and its managers are aware of the situation and are taking all the measures required to remedy it, or simply by explaining that it will not be commenting.
In case there is a problem that would disrupt traditional communication channels (telephone, email), it is wise to plan for other communication channels. Some companies use consumer messaging (WhatsApp, Telegram, Signal, etc.) for informal day-to-day communications, whether internally or with external partners. In a crisis, it is best to turn to customised and secure solutions, in order to maintain the confidentiality of the information that is exchanged.
D. The right time to speak to the media
Often, one of the differences between classic crisis management and cybercrisis management is how quickly you have to communicate with the media. This remains a delicate matter, even with a good crisis communication concept.
When should an organisation draft an official press release and release it to the media?
Every crisis is different, but the right time to start drafting a communication is as soon as possible. One of the priorities for the communicator is to understand the type of cyberincident involved as soon as possible. A Distributed Denial of Service (DDoS) attack that makes the victim’s websites unavailable will not entail the same communication plan as a massive citizen or customer data breach.
The decision on when the information is communicated must be made in consultation with the technical team in charge of responding to a cyberincident and validated by the cybercrisis management staff. There is no ready-made answer – the ideal moment cannot be decreed; it must be prepared. There is a need to properly monitor what is happening internally, to have set as many measures as possible in motion and to match them up with the signals coming from outside in order to report on the cybercrisis situation. The priority is still that the hacked organisation announces the news to potential victims such as customers, partners and service providers (collateral damage must not be neglected).
Decision tree for the course of action:
Excerpt from Raimondo, L. (2022). Les fondamentaux de la gestion de crise cyber. Paris: Ellipses, Chap. 8 on crisis communication.
