Insights

Transparent and Direct: Mastering the Management of Cyber Incidents - Narrative Strategies

Written by Avery Monsees Director | Jul 30, 2024 4:00:00 AM

Imagine this: you wake up on a regular Tuesday morning, you commute to work, you sit down at your desk, and open your computer, expecting another typical day. But it’s far from that: your company was just the victim of a large-scale cyberattack. That’s what nearly happened to the multinational credit reporting agency Equifax last year. When the company’s Chief Information Security Officer (CISO) Jamil Farshchi recounted the potentially catastrophic event, he noted that Equifax would have been scrambling to pick up the pieces in the aftermath of a ransomware attack if not for a warning from the Cybersecurity and Infrastructure Security Agency (CISA).

That was just one story I helped to tell at CISA as the press secretary for the nation’s cyber defense agency. After Jamil shared his thoughts in an open forum on LinkedIn, Bloomberg spoke to Jamil and others at CISA in detail to fully explain the gravity of ransomware attacks and how CISA can help stop bad actors in their tracks. Stories like these illustrate the need for CEOs, board members, and other executives to take cybersecurity seriously. That includes paying special attention to how their companies communicate before, during, and after an attack.

Our world of unlimited connectivity comes with vulnerabilities that we sometimes underestimate. With just one click, bad actors and ransomware gangs can access passwords and sensitive data, seizing private information and extorting it for their gain. The recent breach suffered by Ticketmaster exposed the private information of millions of people, highlighting the severe and swift impact of cybercrime. According to USAID, cybercrime was estimated to exceed $8 trillion in 2023, with projections reaching up to $23 trillion by 2027.

Software continues to be made with flaws, requiring multiple updates to be installed by the user—a burden we all share on our smart devices. An over-reliance on a few select software providers has left companies and our government unable to fully function in a crisis. This is, in part, what led to the recent global IT outage caused by a flawed software update that grounded planes, shut down hospital systems, and affected emergency call systems.

Unfortunately, many companies hesitate to prioritize cybersecurity risk as a core business concern, often neglecting discussions around it until an issue arises. They tend to sweep the problems under the rug when something goes wrong. However, it’s essential to recognize that cybersecurity threats affect everyone, from individuals and families to company executives and government entities. When sensitive data is compromised, there is a demand for transparency from consumers, lawmakers, and regulators. Companies must communicate openly, effectively, and sincerely when facing a cyberattack. By adopting proactive communication strategies, companies can take control of the situation, addressing the issue directly instead of shying away from it.

Last summer, casinos and hotels in Las Vegas were targeted by a cyberattack, providing a notable example of an effective communication response when facing a cybersecurity crisis. Despite the significant impact, MGM responded promptly and openly when they detected the attack. Officials consistently informed the public about their progress in returning to normal operations, demonstrating their commitment to transparency and building trust with their customers, investors, and the public.

Effective communication during cyber incidents also plays a crucial role in raising awareness about cybercrime in general. It helps shift the focus from victim shaming to holding the perpetrators and the flawed software accountable. Just as we wouldn’t blame a driver for a car’s malfunctioning brakes but rather the manufacturer, a company that falls victim to a cyberattack despite diligent cybersecurity practices should not be blamed. Instead, attention should be directed toward the entities responsible for the lapses in security.

By sharing accurate information, outlining next steps, and setting forth their goals, the narrative can shift from blaming the victims to addressing systemic issues within our software and the rising trend of cybercrime.

As a former spokesperson for CISA, I witnessed firsthand how different organizations chose to respond during cyber incidents. While CISA is readily available to support affected entities, private companies can react in ways that align with their values and priorities.If more CEOs and top executives take an active role in cyber planning and assertively guide the narrative during cyber incidents, the landscape for all companies will transform. What is your company waiting for?

P.S. – if nothing else, take this as a friendly reminder to change your passwords and install multiple-factor authentication!

If you’d like to learn more, reach out to me at amonsees@narrativedc.com.