Comms teams can change how organizations respond to cyber crisis, not just clean up the mess after it happens
By James Stranko
As businesses respond to the ongoing Russian invasion of Ukraine, many have become justifiably concerned about retaliation in the form of cyberattacks.
Russia is a no stranger to cyber warfare against private enterprise. The very public positions many organizations have taken against a simultaneously belligerent and defensive government paint bright targets for potential attackers.
And while infosec teams are busy asking leadership for generous technical budgets to shore up defenses, comms leaders can make a case for simpler (and more cost-efficient) investments in cyber readiness right now for the short- and long-term.
Here are three ways the communications function can join the fight to lower the chances of a successful attack while raising awareness and capabilities across the organization.
1. Educate employees on how the cyber threat has evolved
Many executives have a very limited understanding of what cyberattacks look like. Pervasive corporate email campaigns to combat phishing, along with years of headlines about data leaks and ransomware, have conditioned most employees to think that the only way to get hacked is to click on a suspicious link or attachment. But cyberattacks and fraud take many less-obvious forms, and the communications function is well-positioned to teach and train employees to be front-line soldiers against evolving threats.
One example where comms can play an important role in stopping attackers is educating employees about social engineering, or “smishing” and “vishing”, where criminals combine traditional cyber tactics with human intervention to gain the information necessary to strike. Even the most failsafe tech is no match for a pushy scammer who can exploit an employee’s trust. Comms teams are expert at creating talking points for interviews with the press, or conversations with policymakers or shareholders.
These same teams can also do an ace job at creating internal comms campaigns and agreed protocols for how employees should respond to requests for sensitive information like login credentials, financial details, or even executive whereabouts, and give air cover to junior employees who may make what seems like a bad business decision in service of confidentiality and information security.
2. Teach employees how to spot (and respond to) fake information
While many cyber criminals are motivated by ransom or by data theft, companies exposed to political or other volatile situations need to become resilient against attacks that are designed to sow chaos and doubt rather than steal something specific.
These can take the form of disinformation campaigns, where a malicious actor spreads untrue or partially-true (but out-of-context) information through social or other traditional channels to put an organization on the defensive. Think deepfakes, where videos, photos, or other visual assets are manipulated to omit or change vital pieces of information.
They can also take the form of misinformation, where the story isn’t necessarily untrue but that the amplification or decontextualization makes the information damaging.
Comms leaders have an integral role to play in building business resiliency against fake information. Internal communications channels are important, but comms leaders can create lasting impact by building resources to verify and validate company information. By centralizing the “source of truth” for companies, and by enabling employees to be the “eyes and ears” of the corporate comms team, organizations can spot and respond to threats more quickly.
3. Build trusted crisis communications protocols and channels
Some people perform better under pressure but just as many crack. Cyber criminals expertly manipulate uncertainty, fear, and disorganization to find the weakest spot in organizations to attack.
The Chief Information Security Officer’s (CISO) team spends significant resources trying to keep attackers out of technical channels. But once the dam breaks, the job of scooping up the water often falls to comms and legal teams as the reputational damage swells.
Some of the worst breaches (think Equifax as the poster child) had reputation damages that stemmed more from the mismanagement of the crisis than from the crisis itself.
In the fog of crisis, comms teams are often caught on the back foot because they do not plan alongside the CISO or the CIO’s team (or are not invited to the table). This creates an ideal environment for broken trust, blame-shifting behavior, and suboptimal outcomes.
Comms teams that get to know their CISO or CIO, in service of being useful in a breach situation, can also embed themselves meaningfully into their crisis planning. At a minimum, this should take the form of being a consulted or informed party in different stages of a cyber crisis. Ideally, the teams would plan, rehearse, and execute company-wide cyber crisis drills to test organizational and communications resiliency. While there are lots of backstops built into technology, there are very few failsafes for flawed human behavior.