Cyberattacks: How to Prepare for the Inevitable

Cybercrime reports have exploded in the past decade – especially since the pandemic. According to a Federal Bureau of Investigation (FBI) report released in 2021, in 2020, the FBI collected data for 791,790 suspected Internet crimes, an increase of more than 300,000 compared to 2019. In April 2020, FBI officials said they were receiving between 3,000 and 4,000 cyber crime complaints each day — up from 1,000 daily complaints before the COVID-19 pandemic. The Bureau says losses related to those crimes totaled more than $4.2 billion.

“You have to know that a crisis like this is inevitable. It’s not an ‘if,’ it's a ‘when,’” said Ann Ruth Williams, founder and chief strategy officer at tech PR firm ARPR. “So, from a marketing and communications perspective, you want to have a robust crisis communications plan on the shelf, and that plan should include cyber scenario planning.”

Williams said it doesn’t matter how big or small you are, unfortunately, no company is immune to cybercrime. And the most effective defense against it is preparation. This process has multiple layers, but one of the items is drafting holding statements, so when a crisis does happen, you have a plan in place around how it will be communicated to customers and stakeholders. Also, a note to employees that briefs them on the situation and their role in the crisis.

“You need to have a very strongly worded statement to your employees, that if they receive a media inquiry, they have to immediately escalate that and that no one in the company is authorized to speak on behalf of the company externally,” Williams said.

Geoff Blaine, senior vice president and chief marketing officer at cybersecurity company SonicWall, says this preparation will help companies put their best foot forward during a difficult time.

“I can't reiterate enough how important it is to be factual, confident and transparent during the process,” he said.

He also recommends having a cyber crisis committee in place sooner rather than later. This team should include all the stakeholders who need to be involved when a company suffers a cyberattack. Each department should have clear roles and responsibilities, so they know what they need to do when an attack is discovered.

“Have routine coordination with your internal stakeholders,” he said. “It's not just your IT team or your security team or your legal team.”

These types of plans will help a company move forward in the right way, not moving out of panic or heightened emotion. All eyes are on a company when this happens, and reputation is at high risk.

“If a company has a breach, they're a victim, but externally, rarely are you going to be seen as the victim, you're going to be seen as the offender, you're going to have a lot of blame placed on you,” Williams said. “And it's easy to be defensive in those situations, but you have to be humble.”