10 steps to prepare to communicate about cyber incidents


Communicating around cyber incidents can fill even the most seasoned of communications professionals with fear. According to recent research , almost half of communications teams feel unprepared to communicate about them. A good communications response to a cyber incident is critical to protecting reputation and minimising subsequent commercial impacts such as a loss of customers or intellectual data.

We share here 10 steps to help organisations prepare to communicate confidently about cyber incidents.

1.Understand what data your organisation holds and identify the legal,
regulatory, operational and reputational risks a breach would cause.

2. Identify which regulators you would need to communicate with in a cyber
incident. Develop relationships with them in peacetime.

3. Develop draft materials for how you would communicate detailed technical
information to non-technical audiences.

4. Map the key stakeholders you would need to communicate with and the
most suitable channels. Consider the implications of an IT outage.

5. Media train potential spokespeople specifically against cyber incidents.
Ensure they can speak confidently about cyber issues.

6. Engage senior leaders and agree how your organisation would approach
the difficult challenges around a cyber incident:

  • Would we proactively communicate?
  • How would we respond to a ransom attempt?
  • Do we apologise if it’s not our fault?

7. Write a list of questions you would need to ask your IT colleagues in a
cyber incident.

8. Develop a cyber playbook or toolkit documenting all of the above.

9. Engage with your IT colleagues so they are familiar with your plans.

10. Rehearse the communications response to a cyber incident through a
crisis exercise.

Read 7 tips for cyber exercises.

Building your data breach response capability

By Dominic Cockram

Cyber%201“Spectacular achievement is always preceded by unspectacular preparation” (RH Schuller) is a great adage in the crisis management arena and applies equally in the cyber readiness world. Our experience in both preparing our clients for cyber response and supporting them during cyber incidents has highlighted some key areas and lessons: Continue reading

Top Tips for successful Business Continuity planning


Business Continuity Management Systems (BCMS) encompass comprehensive and often detailed suites of activities. Comprehensive, however, does not equate to incomprehensible. And detailed should not be a euphemism for over-engineered.

Consideration of the following should help keep your BCMS lean, mean and fit for purpose! Continue reading

Engaging the top team in crisis preparedness


If leaders are not brought into crisis preparedness personally, crisis structures, process and capability building can be undermined and ineffective in a crisis. There is little point attempting to be ‘crisis ready’ when those responsible for leading the crisis response don’t know what to do.

Why does it matter?

Reputation is invariably at stake in a crisis. Yet, managed well, crises can enhance reputation and present great opportunities. Nick Varney, chief executive of Merlin Entertainments, was praised for his leadership and media handling skills following the tragic roller coaster crash at Alton Towers in 2015.

Any business leader who has managed a crisis, major incident or issue, will say that time preparing is time well spent. When a crisis hits, it is not the moment to reach for the plan and learn how the organisation’s crisis response works. The pace and complexity can be overwhelming even if well prepared.

Awareness of your organisation’s crisis structures, processes, roles and responsibilities is central to an effective response. Senior teams need to know what support they will have to help them act decisively and communicate quickly. It’s important to establish clarity on reporting, decision-making, and where authority, responsibility and accountability lie ‘in peacetime’.

Decision-making by the crisis management team is one of the most critical but challenging non-technical skills required. Good decision-making can safely steer an organisation out of a crisis and on to future success. Bad decision-making can exacerbate a difficult situation and have long-term negative impacts on the reputation and value of the organisation.

Observing crisis teams at work, I’ve seen the psychological impact uncertainty has on the efficiency and effectiveness of decision-making. Even the most clear-headed and decisive senior executive in day-to-day settings can be overwhelmed in a crisis, leading to uncharacteristic errors, decision avoidance or delays.

How to engage senior executives in crisis preparedness

Take small steps

Initially aim to engage the top team in bite-size activities rather than a huge programme. One hour best practice sessions, sharing a relevant case study and short scenario exercises can build awareness of its necessity and encourage further engagement.

Use the cyber imperative

Preparing for cyber risk is on almost every executive team’s agenda. Use this imperative to focus minds on the broader aspects of crisis management.

Build through governance

The UK Financial Conduct Authority and other regulators have brought crisis management into their governance regimes and it is a growing expectation that executives are prepared and professional. Use this as a prop to build engagement.

Scare them

Use high profile examples of businesses facing crises to show the likely scrutiny they would face and how lack of preparedness can lead to great vulnerability – personally and corporately.

Give them a crisis… simulation

Senior executives are often disengaged because they do not realise the extent of the complexities and challenges presented in a crisis. A fully immersive simulation exercise exposes just how uncomfortable it can be.

Final thoughts

Not everyone is cut out to be a crisis leader. Sometimes those who lead during ‘business as usual’ find it challenging to turn their skills to a live crisis, where decision making needs to be quick, done under pressure, and with limited information, high risk and accountability.  Identify your crisis champions early.

It is crucial to prepare crisis leaders for their role; to build and develop their crisis capabilities. An effective way is experiential learning such as crisis simulations and training which focus on building self-awareness of strengths and weaknesses. A mature crisis-ready organisation will have a bank of leaders to take on a crisis leadership role in their function, business, geography or at the most senior level. Ensuring the right people -with the right experience and skills, and trained in the right processes – occupy the right roles.

Crisis preparedness is about having teams at every level prepared to respond to and manage the worst case situations. Develop the executive team crisis response capability to face the unique challenges of a crisis and to make critical decisions with insufficient information, not enough time and with the world watching.




Seven tips for cyber exercises

Cyber%201By Dominic Cockram

Cyber attacks will continue to threaten business operations, with many commentators claiming that this year we could see ‘the big one’.

Organisations are increasingly focused on understanding the impacts a cyber attack could have on their operations and reputation. Many are now using cyber scenarios in their crisis exercises to test and validate their assumptions on how they would respond and reflect on the unique challenges a cyber attack could bring.

The exercises range from fully immersive simulations, that develop and build competence and confidence, by allowing a realistic replication of the pressures, issues and uncertainty, to desktop sessions, that provide leadership teams and broader management the opportunity to familiarise themselves with the nuances of a cyber response such as the awkward language and reporting processes.

Having run a large number of cyber exercises over the last 18 months, I thought it would be useful to share some of the common lessons.

Continue reading

‘Strategic’ and ‘operational’ resilience – establishing more comfortable bedfellows

Untitled-1By Dominic Cockram

The more I hear of the current discourse on organisational resilience, the more uncomfortable I find myself feeling.

The concept has been around for a long time and was brought sharply into focus in 2014 by the British Standard, BS 65000: Guidance on Organisational Resilience. As one of the editors, I was party to vivid and lengthy discussions and much positive disagreement as we ranged around the topic of organisational resilience, what it meant and how best to set it out in a standard. In the end, what came out was a ‘Guidance’ and that was an excellent result. Resilience is a complex and many faceted concept and it would have been wrong to go too far in framing an approach at this stage.

Continue reading

TalkTalk: The twists and turns of the cyber crisis continue

iStock_000006935624_LargeThe story of the TalkTalk cyber crisis and the company’s response continues to unfold as we saw inevitable outrage over the week-end with stories galore of customers with “potentially hacked bank accounts” raising a whole new raft of rumours, heating the debate and breeding more noise about what might have happened and just how great the impacts may be.

The story was moved by the CEO (quite cleverly) to the broader focus of “cyber risk is a wider problem the UK needs to face up to and address” with calls for more Government support to tackle cyber crime.  A fair appeal and one raised by me in my earlier blog – regulation and control or assurance in this domain is very much required –  even though challenging to apply in a reasonable manner. Continue reading

Talk Talk – a network hack by any other name

talktalk-cyberattack-hack-bank-card-detailsTalkTalk is the latest in a long line of high profile businesses to undergo a ‘cyber attack’ as they call it.  A real pattern is emerging of how these matters are managed in the public domain and it is interesting to note there is no use of the dreaded “hacked” terminology in their reports and messages.

They are now in that incredibly tricky position of knowing intruders have been in – but not being quite sure what they have left with in their bag of electronic ‘swag’.  It is now that the executive team discover just how convoluted the investigations can be and the awful fact that there is the potential to never know exactly how they got in or what was taken.  At a time when everyone is seeking certainty, the challenge of a cyber crisis such as this is that conducting investigations as to where hackers have been on your network, particularly if it is integrated across key platforms, can be a very, very long process. It can be quick if fortune smiles on you but there are no guarantees. Continue reading

Volkswagen: a long road to recovery

By Dominic Cockram

220px-Volkswagen_logo_2012.svgIt has certainly been a busy few days for the VW crisis management team. If they had a mature and practiced crisis preparedness capability in place then hopefully they will have been hard at work for some time now. Suggestions are that others did have some foresight that all was not well in the industry from the roadside test reports, so there may have been some early work going on.

But, in facing this potentially overwhelming corporate crisis, how should VW set about managing the crisis, identifying their priorities and ensuring their reputation recovery? Continue reading

Getting ahead in the reputation game

Reputation Management Concept on the Cogwheels.Reputation and the importance of a good reputation is well understood; for businesses reputation is a vital and valuable commercial asset, albeit intangible. But how do organisations actively protect their reputation and manage the risks to it being damaged?

That is a harder question to answer. The 2014 Forbes Insights Survey found that 39 per cent of companies surveyed rated the maturity of their reputation risk programmes as “average” or “below average,” and only 19 per cent gave themselves an “A” grade for their capabilities at managing reputation risk. Clearly there is still much to be done – but what? In this blog, I offer some ideas for consideration and debate.

Influencers of corporate reputation 

External perceptions of quality, transparency and trust are key influencers of corporate reputation, as found by research published in the Edelman Trust Barometer (an annual survey of more than 5,000 informed publics in 23 countries), the Fortune 500 listing of the world’s most admired companies and the Reputation Institute. But herein lie the first two problems for reputation risk management.  Reputation is an intangible asset and its gift is in the hands of your stakeholders; both factors make it harder to gauge. Continue reading