Communications with Stakeholders after a Ransomware Attack
by Charlie Maclean-Bristol, FBCI, FEPS
Charlie discusses the issues associated with communications after a cyber-attack, and how to develop a plan that will make a huge difference in an organisation’s ability to survive and keep their reputation after a data breach.
To be able to cover multiple time zones, yesterday I was up at seven o’clock for a cyber exercise with a multinational company. One of the learning points in the post-exercise report was the lack of a plan to inform stakeholders, and especially customers, after a data breach. There are several critical issues associated with communications after a cyber-attack. Today, I will explore some of them.
Have You Lost Control of Your Data?
The first issue that you have to understand, is under what circumstances do you need to inform stakeholders of the breach. The ICO regulations state that you have a legal responsibility to those whose data you hold, and have lost. If you have a ransomware attack, often it is targeted specifically to your company, and the attacker will attempt double extortion. This means that the attackers have gone into your systems and moved around to identify and extract the most sensitive data, hoping that the company will pay ransom to prevent the information from becoming freely available. Once they have done this, they will lock you out of your files and demand a ransom for the key to decrypt them. In double extortion cases, you have definitely lost control of your data, it will have been removed and is now in the possession of a third party. If the files are locked, and there is no evidence of the files being removed, be aware that you have still lost control of the data therefore, you should inform those whose data has been encrypted.
The issue for me is that you cant see exactly what information has been extracted. The more sophisticated the cyber defences are, the stealthier the attackers have to be to get a hold of the data without alerting the organisation until they have what they want. After the SolarWinds attack, the company spent weeks scouring their systems, knowing they had been vulnerable to an attack but not knowing whether the attackers had taken data from them. As there were 18,000 vulnerable organisations, the attackers didn’t have the capacity to attack and remove data from all of them. For a less high profile organisation, it is unlikely they had been attacked but they still had to make sure.
Staff and Customer Key Audiences
If you suspect that you have lost control of your data, you must inform those whose data you have lost control of. They want to hear this information from YOU! Usually, you must inform three main groups of people, your customers, your staff, and your suppliers. The most sensitive data normally belongs to your customers and staff. To communicate a breach to your staff should be relatively easy as most organisations have several different channels for carrying this out, so this can be done relatively quickly.
The Clock is Ticking
Customers are the ones who make the company money. Therefore, your purpose is to provide a great service to them, as they are vital to the company’s future, well-being, and existence. Your customers don’t want to hear about a data breach in your company from the media or a third party. It is imperative to inform those customers who have a major impact on the company and spend a significant amount of money. Another factor to remember is that you have a limited amount of time to contact and inform the customer before the information is leaked. All data breaches in the UK and Europe have to be reported to their relevant information commissioner within three days. Part of the report has to include how the company plan on informing those whose data has been lost. There is a very tight timeline starting from becoming aware of the breach and informing relevant customers.
Develop a Customer Communications Plan
A comprehensive customer communications plan should already be developed, as there isn’t a lot of time after a data breach to develop one. The company must be able to execute their plan regardless of whether they have been locked out of their systems or if the files are encrypted.
The following steps will help you develop a plan:
1. Identify who your customers are. Do you need to segment them into groups? For example, in groups of priority.
2. Decide how you will deal with past customers you are presently not engaged with but whose data you still have on file.
3. Identify potential customers you are engaging with whose details may be in a different place to actual customers.
4. Review the different ways you engage with customers at present. Do you have a customer relations team or contract managers who have personal relationships with the customers? Do your senior managers have connections with the customer’s senior managers? If you don’t have a personal relationship with your customers, you may have a marketing list that can be used to reach all your existing customers.
5. The outcome of a review should be a map of the different ways you engage with your customers.
6. Once this has been done, start by making a list and allocating the tasks listed below:
- Customer groups.
- Who is responsible for contacting each group?
- How they will be contacted?
- This could vary from a personal call from the CEO to a mass email.
- Where will the contact details be stored?
- Who is responsible for writing correspondence?
- Who will update the details regularly?
- How will your plan be executed if the company’s systems are affected by a cyber attack?
7. Below, I have listed other items which could be incorporated within the message to customers and that companies should consider in advance:
- What help could you offer them? This may include credit monitoring services and what they can do to protect themselves.
- How can they be reassured that this doesn’t happen again?
- How can they contact you or find more information?
- Consider language barriers between you and your customers and how to communicate information effectively.
8. Write this up into a plan.
9. Once the plan is fully developed, the staff must be trained on how to exercise it and practice it regularly.
Time and time again, I notice that many companies do not have a customer communications plan in place. Instead, they flounder around, not knowing where to start, in the meantime, their customers are finding out about the breach from the media. If a cyber-attack took place and there was no follow up plan in place, customers would most likely leave and find another company that took better care of their data. Companies spend tens of thousands of pounds on securing their networks, knowing that they will get in if an attacker is determined enough. However, they don’t spend their time and effort doing the work that will make a huge difference in their ability to survive and keep their reputation after a data breach.
This article was originally published by BC Training Ltd.
Charlie Maclean-Bristol is the author of the new book, Business Continuity Exercises: Quick Exercises to Validate Your Plan
“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.” – Deborah Higgins, Head of Cabinet Office, Emergency Planning College, United Kingdom