December 9, 2021
Cyberattacks cost the global economy close to 1 trillion dollars in 2020, a number projected to rise to $10.5 trillion by 2025. According to the FBI Cyber Division, they received close to 4,000 cyberattack complaints daily at the start of the COVID-19 pandemic, a number likely associated with the fact that 71% of Americans were working from home at the time.
With such dire cyberattack statistics, what can an organization do? Although such attacks are typically the purview of IT departments and cybersecurity divisions, as a critical department in any organization, public relations (PR) has a vital role to play.
Audio: Listen to this article.
While PR professionals may not play an active role in stopping the actual attacks, they can contribute to its overall security.
Reputational Damage: The Biggest Cost of a Cyberattack
Cyberattacks, especially those resulting in data breaches, impact the target company in quantifiable and non-quantifiable ways.
Quantifiable costs might include the company paying fines and other remediation costs, including overhauling IT infrastructure and possibly paying ransoms.
Non-quantifiable costs might include a loss of crucial business information or intelligence, loss of access to critical IT infrastructure, and, most notably, a crippling blow to the company’s reputation.
Although most companies might not tally this final cost as a major one, its repercussions can be extreme enough to lead to significant losses or even closure.
A Varonis study demonstrates the seriousness of this cost, which found that:
- 80% of customers will leave a business that had a data breach
- 85% will tell their networks about their negative experience
- 52% would pay the same price to a different brand with better security
- 52% say data security is a primary consideration when deciding where to buy products or services
As any PR professional would appreciate, reputation damage quickly escalates into financial losses, which can spiral out of control.
PR: Gatekeepers of Information
PR is the gatekeeper of information for an organization and typically holds sway in determining what information is sent out to the public. In its role, two essential cybersecurity aspects emerge:
- Information PR sends before an attack can be used to launch successful cyberattacks.
- Information PR sends after an attack can help repair a company’s damaged reputation.
In both scenarios, PR’s role as the controller of information plays a pivotal role in protecting and restoring a company’s reputation before and after the fact. However, this realization is often lost on most PR departments, which only view their roles within the marketing scope of the organization.
The first step in ensuring PR actively protects the company is by recognizing PR’s ability to control information can help support IT efforts in combating cyberattacks. This also extends to all other departments that must actively protect the company in their various capacities.
So, if PR can play an active role in cyber defense, what can it do to live up to this ideal?
What PR Can do to Prevent a Cyberattack
Moderate information before it goes public
Attackers can use the information made public to launch a cyberattack on a company. For example, placing internal emails in press releases might be customary, but it gives criminals the seed information needed to launch a phishing attack. As such, it might be prudent to avoid sharing excessive internal details like emails and official designations during PR campaigns.
Sensitize department members on attack methods
Phishing attacks are the most prevalent attack method in cyberattacks. In PR, these might appear to be emails from notable reporters or news agencies. Training department members to not click on links in unsolicited emails or download suspicious attachments can help shut down potential attacks.
Understand how a cyberattack can damage a company’s reputation
Your department is responsible for maintaining and growing the company’s reputation. Knowing that a cyberattack can undo years of work in one blow can motivate your PR team to remain vigilant against attacks. In addition, the PR department can further educate the entire organization on the potential reputational costs of cyberattacks, lending more weight to IT’s efforts.
Work closely with IT (and other departments) to create an integrated cybersecurity threat incidence checklist
An integrated cybersecurity threat incidence checklist is a master document that provides live updates on potential attacks. PR should work with IT and other departments to generate a catch-all list that applies to all departments. Contributing possible soft targets within PR can further deepen the overall incidence checklist’s effectiveness.
What PR Can do After a Cyberattack
Communicate the incidence to all affected parties
Communication after an attack is key to alleviating fears that the company might hide the hack. For example, when SolarWinds, a large managed IT service company, was compromised, they immediately published information to clients informing them of the hack and how they were handling the situation.
Create an incidence FAQ
When an attack occurs, internal and external parties have questions. Instead of letting the media and other entities control the narrative, publish an FAQ that is updated regularly, which addresses all pressing questions about the attack, including when it happened, how it affected the company, and what is being done.
Publish organization-wide incidence reporting guidelines
After an attack, employees might want to talk about it to reporters and clients or share information on social media. Creating incidence reporting guidelines will ensure all the information about the attack comes from one source: PR, which can ensure incidence reporting is done correctly.
Develop a reputation repair roadmap
An attack will dent, if not damage, a company’s reputation. PR should immediately create a road-to-recovery plan to manage the reputational fallout and rebuild trust with key stakeholders. For example, part of SolarWinds’ plan involved helping its clients report to their clients about the breach while offering ongoing support and guidance.
PR + IT = Cybersecurity Power Team
IT might be the vanguard in the fight against cyberattacks, but they falter when it comes to effective communications. Meanwhile, PR thrives at communications, making them an ideal partner to IT in developing and implementing a well-rounded cybersecurity plan.
By working closely, both departments can leverage each other’s strengths to create a more robust, credible, and resilient cybersecurity framework.
However, it starts with realizing PR has a lot to offer the organization in regards to cybersecurity and using its tools and assets to make a difference in the fight against cybercrime.
Ashley has been writing about the impact of technology and IT security on businesses since starting Parachute in 2005. Her goal has always been to provide factual information and an experienced viewpoint so that business leaders are empowered to make the right IT decisions for their organizations. By offering both the upsides and downsides to every IT solution and consideration, expectations are managed and the transparency yields better results.
Topics: crisis communications