Leaders building cyber resilience often overlook the need to develop a crisis communications plan. Here’s how to construct and practice a strong response before a hack.
Carolyn Geason-Beissel/MIT SMR | Getty Images
Business and IT leaders have made large efforts to build cyber resilience, or the ability to respond to and bounce back after a cyber crisis such as a data breach or operational disruption. But one aspect of cyber resilience deserves more attention from most organizations: the cyber crisis communications plan. The early hours of a cyber crisis are the worst time to realize that your communications plan is incomplete or nonexistent. Circumstances surrounding an incident, during which communication decisions need to be made, are urgent and chaotic. Adrenaline is running high; everyone, from employees to reporters, is demanding answers; and salespeople looking to protect relationships may even be sharing incorrect information. A leader’s initial impulses for communication are often wrong and can create additional problems. That’s why truly cyber-resilient organizations must have a cyber crisis communications plan in place — and stress-test it regularly.
Communication around a cyber incident is crucial to mitigating reputational harm, regulatory risk, and financial fallout. Delivering the right information at the right time, in the right tone and channel, takes practice.
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
What’s more, your regular business crisis communications plans may not be adequate for a cyber crisis. While the two share many of the same characteristics, unique considerations surround cyber crisis communications planning. Take stakeholder management, for example. If the crisis plan expects emails to be the main mode of communication but systems are locked, the plan is inexecutable. Cellphones, the primary network for most verbal communication, might also be compromised. Even stakeholder information held on the company’s computers might be unavailable if data is encrypted by malicious code. Planning for cyber crisis communications requires attention to the unique aspects of a cyber incident.
The July 2024 CrowdStrike outage serves as a good example of why organizations must anticipate a variety of cyber crisis scenarios and develop effective response strategies, including communications plans. The outage, which was not a cybersecurity breach but a software update issue that disrupted the operations of companies relying on CrowdStrike’s cybersecurity services, was fixed relatively quickly on the technical front. However, the communication challenges that stemmed from the outage lingered for weeks, as customers griped about a perceived lack of contrition in the messaging from CrowdStrike leaders that was delivered via social media and mainstream media coverage.
Reprint #:
“The MIT Sloan Management Review is a research-based magazine and digital platform for business executives published at the MIT Sloan School of Management.”
