Crisis communications – cyber attack

What do you do when your online systems are unavailable, either through technical fault or cyber attack? How do you respond to an emergency when your digital channels are down?

Communicating without IT systems

There is no denying the impact that technology has had on modern communications. Websites, social media, intranets and apps have changed the way we reach and engage our audiences. For many local authorities, digital platforms are at the centre of their communication strategies and activities.

But what do you do when your online systems are unavailable, either through technical fault or cyber attack? How do you respond to an emergency when your digital channels are down?

With the importance cyber security hitting the headlines once again, we have assembled our advice for communicators across local government to consider when planning for a cyber emergency, or communicating if the worst should happen.

Our top tips for local government communicators

Create a crisis communications plan (and keep a hard copy)
A comprehensive crisis communications plan that is integrated into your organisation’s wider emergency and civil contingency planning is essential for all organisations. As time to plan is extremely limited during an emergency situation, it is important to prepare as much as possible in advance. This will not only save you time, it will also provide you with a framework to follow as soon as the crisis hits.

Effective crisis communication plans should include:

  • Details of who will form your crisis communications team (typically your chief executive, leader, head of communications, head of legal, head of HR, head of governance, head of IT etc) and their contact details
  • a timeline of when the crisis communications team should meet during the first few hours, days or weeks of the crisis
  • who will have responsibility for signing off key messages
  • a list of the audiences you will need to reach during a crisis (including contact details)
  • a list of stakeholders you will need to reach or work with during a crisis (including contact details)
  • a list of which channels you will use to communicate your messages
  • copies of any passwords needed to access corporate communication channels

It is essential to keep a hard copy of your crisis communications plan within your organisation so that you are still able to access it in the event of a cyber-attack.

You may also like to consider including draft templates of proactive and reactive statements for a range of different incidents and emergencies that you can populate with specific details as information develops. Remember to outline the facts you do know, explain what you are doing to mitigate the situation, reassure your audience and signpost people to where they will be able to access more information once available.

Prepare and practice
Creating a crisis communications plan is only half the story. It’s important to test out your processes to ensure that your plan works and that people understand what they are required to do in the event of an emergency. Practicing your emergency response could uncover vital learning that will help to mitigate the effect of a crisis should a major incident occur.

In the case of a cyber attack, it is also important that your employees understand what dangers they should be alert to and how they report any concerns about suspicious activity. Effective planning and awareness not only increases knowledge, it could also mitigate the risk that employees will inadvertently spread malware or ransomware programmes by forwarding infected emails. Consider developing a cyber attack awareness campaign, or working with your IT colleagues on a set of key messages to share with managers or staff on the things to look out for.

Establish facts, communicate early and regularly
As with all crisis situations it is important to communicate as early as possible to help your organisation proactively manage your message rather than reacting to conversations and speculation. Consider releasing an early holding statement to outline the facts that you do know along with any key messages you wish to emphasise.

In the case of cyber attacks if you can confirm that personal data has not been compromised then you should communicate this at the earliest possible opportunity to reassure the public and stakeholders. Do not speculate or discuss issues that have not been confirmed as fact.

It is also important to update your audiences at regular intervals to keep them informed of the latest information. This ensures that you remain in control of your message.

Identify a spokesperson
With digital channels unavailable it is more important than ever to appoint a spokesperson to deliver both your internal and external messages. This should be a senior figure within your organisation, to help provide reassurance and authority. Importantly, the spokesperson must also be a confident communicator who is not directly involved in the mechanics of fixing the crisis. If they are needed to resolve the problem it will be more difficult for them to focus on key messages or dedicate sufficient time to communicating with the range of audiences you will need to reach. Consider providing your senior management team with media and communications training to ensure that should a crisis hit, you have a range of potential spokespeople available.

Avoid email and website updates
If you organisation is affected by a suspected or confirmed cyber attack avoid the use of email and website messaging immediately. Sending or opening emails could accidentally spread the virus and put more data at risk so it is important to avoid the channel.

Embrace traditional channels
When digital platforms are compromised or unavailable it is important to make use of alternative methods of communication. This may include sharing your statements with the local media over the telephone, staging face-to-face briefings for the media or key partners a sites in the local area or within your buildings and using manager telephone cascades to share updates with staff. Make sure you develop channels that do not rely on digital platforms as part of your wider channel mix activities.

Brief your contact centre and elected members
In the event of a cyber attack is it possible that you will experience a surge in calls to your contact centre or elected members as the public look for information. This is particularly likely if the majority of your information is usually housed on your website. Make sure these key groups have access to your most up-to-date statements so that they can advise people of the latest position in the event that they are contacted. You may also need to station extra people in the reception area of your town hall to update members of the public who visit your buildings.

Use personal devices if possible
If your corporate IT systems are unavailable due to a cyber attack you may still be able to post updates to your social media platforms by using your personal mobile devices.  Keep hard copies of your social media passwords within your communications team so that you can access the account for another device if necessary.

Use partner and community networks
Consider sharing your cyber attack updates and statements with partner organisations that you work closely with as they may be able to share your latest information with organisations and audiences that you may be having difficulty reaching. Invest time in building relationships with the communication teams at your partner organisations so that you have these networks in place should a major incident occur. You may also consider sharing updates through community networks or forums if you are unable to update your own digital systems.

Engage with IT and legal colleagues
Cyber attacks are complicated and often technical issues so it is important to work closely with colleagues in your IT and legal teams, and the appropriate national bodies, (for example, the National Cyber Security Centre) when creating key messages or issuing advice. While it is important that external and internal messages are articulated in easily accessible, plain English, it is important to understand the technical and legal contexts in which you are now communicating. In the event of a cyber attack your legal team and IT teams should form a key part of your wider crisis communications team so invest time in developing those relationships.

Communicate with your employees
Wherever possible it’s important to make sure you communicate with staff before releasing information to the media and wider stakeholders. It is likely that you will need your employees’ support and involvement to fix the challenges you are experiencing so it is important that they are first to know of any new developments. If staff find out updates through media or social channels it can damage the trust they have in the organisation and may limit the extent to which they are willing to support the organisation to overcome the crisis.

Communicating with your employees is particularly important during a cyber security incident, where staff could be at risk of exacerbating the spread of malware or data breaches by accidentally clicking on links. Make sure you have facilities to communicate with employees that do not rely on email.
Further information on communicating with employees during times of crisis

Respond to the new normal 
The way you communicate at the end of a crisis is just as important as how you manage the emerging situation. Communicators should play a vital role in crafting messages that explain what has happened, what has been learnt or changed as a result of the emergency and what the next steps for the organisation will be. Any changes that emerge following the crisis should be clearly explained to both internal and external audiences to instil confidence and prevent confusion.

It is also important to thank those audiences who helped the organisation to navigate the crisis, including the media, employees, partners and the public. Acknowledge the role that they have played in assisting the organisation to survive the incident. Finally, make sure you update your crisis communications plan and wider civil contingency plans with any learning or amends that have resulted from the crisis.