With every crisis there comes an opportunity. What has been given surprisingly little airtime is how the pandemic has led to an absolute field day for cyber criminals feeding off the recent uncertainty and increased dependence on digital. The surge in home working has increased the use of potentially vulnerable services, such as VPNs, amplifying the threat to individuals and organisations. Many of you reading this will have received COVID email alerts, but how many are legitimate?
I suspect most businesses and organizations involved in the coronavirus response are on the list of targets. Last month, the WHO reported a fivefold increase in the number of cyberattacks directed at its staff and email scams targeting the public at large since the outbreak of the virus. Similarly, America’s Health and Human Services Department was attacked by a campaign of disruption and disinformation, with breaches this year affecting an estimated 3.3 million individuals. In Singapore, the Cyber Security Agency (CSA) sounded the alarm on calls from scammers impersonating CSA officials claiming to investigate suspicious activities on their victims’ network.
Cybersecurity experts note the role that human behaviour has played in the rise in phishing since the pandemic broke out. PA Consulting’s Luke Vile asserts that “the most effective phishing attacks play on emotions and concerns, making these messages hard to resist. Societally, we’ve never experienced this situation before, so all rules are off in terms of how people behave.”
Legal experts have also noted that while there has been an escalation in the number of cyberattacks during the pandemic, there has been a slight slow-down in reporting – suggesting that many businesses are not yet aware of incidents affecting them and that we will see a swell in reporting in Q3 and beyond. We’ve witnessed this surge first-hand, supporting businesses in recent cybersecurity incidents.
According to research by Check Point, phishing attackers in the U.S. most commonly pose as Apple and Netflix. Consumers are currently using these brands more than ever and we are likely to see more similar, opportunistic scamming. Companies should therefore be proactive in warning consumers about what emails would/wouldn’t be sent from them and to be alert to suspicious links.
With this in mind, it’s useful to consider some broad advice. For companies affected by a cyber incident, I would recommend:
Communicate directly with stakeholders. Be honest and don’t sugar coat the facts. Show remorse and provide answers to their foreseeable questions.
Create a public statement. Again, provide an honest picture of the situation and answer most of the questions that the media might have in mind. Make sure it states a clear plan of action and what has been accomplished on an immediate basis. This is an excellent opportunity to search optimise the headline of the statement to make sure that all searches about the issue land on your statement.
Arm your social media. Guarded managers with all the information they will need to answer questions, redirect queries, and express remorse over the incident. Create a response chart with clear guidelines to what responses are to be given to specific questions with timelines and an escalation process.
Monitor the situation. The communications team should look for more information on the online reputation the company is inching towards. At the onset, there should be an online vulnerability audit – which will make sure that all communications put out rank higher than the third-party content being shared by the media, Twitter etc.
The COVID crisis also demands some general crisis management housekeeping:
It is likely that many organizations will not have reviewed crisis plans and procedures for some time. It is important they are revisited, as many aspects regarding communication, responsibility and escalation will need to be sense-checked in light of the current circumstances.
Obviously, face-to-face meetings and conversations that are crucial during a crisis are impossible. Therefore, emphasis needs to be placed on the efficiency and accuracy of written communications between members of the appointed crisis team.
A recent FT article highlighted the growing threat of companies’ own employees as a cybersecurity risk. Proactively reinforcing company guidelines on avoiding engaging with strange-looking emails and reporting any suspicious activity to IT is one way to help mitigate risk.
Where appropriate, some businesses (particularly those in finance and retail) may want to proactively warn customers of criminal activity.
Ultimately, with cyberattacks at a heightened level, the need to be human and empathetic in communicating is paramount as people are undoubtedly under more stress and emotions are high. Organizations need to be careful – not only in how they protect themselves from risks, but also in their response to them.
Tim Luckett is the global Chair of Hill+Knowlton Strategies Crisis practice. He has wide experience in pandemic planning, training and response and supporting organisations globally on COVID 19. His recent experience also includes managing multi-jurisdictional data breaches, hack attacks and a high profile cyber bribery case. He is a regular speaker on reputation and cyber security.