Skip to main content

Emotional thinking: why cyber crisis communications needs more than tech to succeed

This article was originally published on

Cyber crises may be driven by technology, but at their heart they are very human affairs.

Get the communications process wrong – a mistimed announcement, using the wrong tone or portraying a lack of transparency – and a company can go very quickly from being the victim of a cyberattack to being labelled the perpetrator that allowed the problem to happen.

How a company emerges, and how its reputation will be affected, is often decided by the emotional response of the people impacted, and there are several complexities to consider.

First, there is the difficulty of proving the source of an attack, or the “attribution problem” that has dogged the internet almost since its inception. You may know how your system was accessed - it’s just that you may never find out exactly who did it or why they broke in.

Then there is the limited view of the data that has been compromised and exactly how many people have been affected. This increases the risk that a company may say too much too soon, or not say enough, sometimes leaving them in the embarrassing position of having to correct previous statements.

An added consideration is the increased scrutiny that regulators are putting on companies and their responses to cyber incidents, especially those where data is compromised. Fines can now be in the hundreds of millions of dollars under regulations such as the European Union’s General Data Protection Regulation, or GDPR, introduced in May 2018. The view from experts is that companies should be ready for the greater involvement of watchdogs, no matter which jurisdiction they are operating in.

Cyber life-cycle

In our experience, there are four key moments when communications teams must make decisions that can make or break their response handling: Discovery, Disclosure, Live Handling, and De-escalation and Recovery.

The discovery phase is that “smack in the guts” moment when a company realises they have suffered a cyber incident or the real or potential loss of data. Companies can spend too long focusing on how an outside actor was able to access their systems, isolating the vulnerability and closing the security gaps. This is often to the detriment of the communications response. The biggest question a company needs to answer is not “why did this happen” but “how do we now protect the interests of our stakeholders?”.

To counter this during the live handling phase, companies need to try to get ahead of the story, show transparency and reassess their responses. They will need to regularly engage with stakeholders, even though the uncertainties inherent in cyber issues means that communications teams will have to adapt faster and with more flexibility than in other crises.

This type of decision-making requires clarity of leadership, which is hard to achieve if a company is simply reacting to events as they unfold. Most companies are aware of the issues they may face, and more are looking into developing communications protocols through cyber crisis workshops to speed up decision making processes and prepare them to these events.

More than anything, company leaders need to reassure stakeholders that they can continue to trust the brand and its values.

Ben Richardson, Finsbury, Partner and Head of Asia

This article was initially published on Campaign Asia’