Companies whose systems have been infected by ransomware attacks have not only an IT security problem, but also a communications issue. They must be extremely careful in what, when, and how they talk about the crisis at hand to not exacerbate the situation, say PR pros with backgrounds in cybersecurity.
Cyberattackers could be watching to see how affected companies respond, according to experts.
"Keep in mind what’s happening from a technology standpoint, because what you communicate could make a situation worse," says David Schraeder, SVP at Grayling, who leads crisis response and issues management work for the firm. "It’s very possible that the people who executed whatever malfeasance against your systems are looking to see what the impact is so they can get feedback from lots of directions—including the media."
Companies should weigh several factors, including their business type and the amount of damage inflicted by the attack, notes Scott Radcliffe, global and privacy risk lead at FleishmanHillard.
"It’s important to ground any particular approach a company might take in the scope of the actual impact of the incident in terms of how it affects the organization and its interactions with customers," Radcliffe says. "What I mean by that is a healthcare organization would need to have a different response than a manufacturer."
He adds that "maintaining a calm, measured tone in how [organizations] are responding will help to contain the response from stakeholders."
When responding to cyberattacks, the situation can change quickly, Radcliffe adds. For example, with the WannaCry attack that took place globally this weekend, a malware analysis expert happened upon a kill switch, which was a temporary fix that could easily be bypassed. What’s being called the biggest cyberattack in history infected more than 300,000 machines around the world, including those at companies such as FedEx and Nissan, according to CNN.
"You have to be careful about what you’re declaring at any given point because the dynamics of these situations change dramatically from one minute to the next," Radcliffe said. "Even if many other parts of the organization are sure of what’s happening, you, as a communicator, have to keep in mind in the first few hours or days that it’s good to let some of these situations play out before you declare anything with certainty."
Do no harm
Asked what would be the worst thing a PR pro could do to exacerbate the situation, Schraeder cites communicating inaccurate information first and, secondly, failing to communicate what the company is doing to secure its systems or to retrieve the information.
"This is what’s tricky about these ransomware attacks: there are few situations where companies will come out and say, ‘Here’s the exact amount of money demanded of us, or here’s the exact details of what they’ve done or intending to do,’" he explains. "There’s a gray area where you have to be careful about over-communicating. There might be negotiations going on behind the scenes. It’s a hostage crisis. Only afterward can you communicate more fully."
This past weekend, organizations in more than 150 countries were caught in a similar trap to what the New Jersey Spine Center faced last year when a CryptoWall ransomware attack encrypted patient records and blocked providers from accessing them, creating a literal life-or-death situation. The center ultimately decided to pay the ransom. It disclosed the breach to the public in a letter sent to patients in September, only after the hospital rebuilt its system and was able to access files.
Last weekend, the U.K.’s National Health Service was crippled by the massive ransomware attack. "I thought through that [and how] to decide what to pay for and what not to pay for," Schraeder says. "If you’re a physician caring for someone’s health and suddenly have no access to records, your patient’s life and health is in immediate risk. From a comms point of view, how do you prepare a client and advise a client ahead of time to go through a scenario where all the information is unusable?"
Melissa Havel, EVP of technology and Portland GM at WE Communications, echoes Schraeder’s advice, saying, "Do what’s right by your customers fist, plain and simple."
"It’s important to stay on top of three key media phases of all crisis scenarios," Havel adds, via email. "Crisis coverage consistently moves from issue discovery to identification of the responsible party and then finally into the analysis – who managed through the crisis well, how, who did not, and the impact – understanding which one you are in and managing appropriately drives best outcomes."