Explaining what’s happening in a cyber attack is hard but crucial

The cyber attacks on M&S the Co-op and Harrods are a prominent example of a cyber incident causing real-world disruption across the UK. But it’s also an opportunity to learn from the challenges all organisations face when trying to explain to their customers what’s happening, amid the disruption and uncertainty that cyber incidents can generate.
 
This is one of the hardest elements of a cyber incident, and one fraught with risk, given the potential reputational damage and loss of trust if handled poorly. Without being in the room, it’s hard to assess how a company is handling a crisis. We have a good idea, though, of the communication challenges that M&S and the other retailers will be working through. Overall, it seems they’ve done a good job so far, although there is still a lot of ground to cover as the incident evolves. 
 
M&S’s communications have been proactive, with a well-judged tone, and it has been impressive to see their leadership communicating directly with customers. The critical question is how the messaging aligns with the operational picture and potential evolution of the incident. Aligning those, with incomplete information, is difficult. What you think you know early on in a cyber incident often turns out to be wrong.
 
People’s reactions to cyber incidents are also continually shifting. Awareness of the threat has grown significantly, so disruption quickly prompts speculation about a cyber attack. Generally, people are less concerned about data being lost than they once were, as they have experienced it many times before. But there are still plenty of people worried about sensitive data, some of whom are becoming more litigious. And many have good reason to be concerned –   threat actors are becoming more adept at using stolen data, especially with the growing use of AI.
 
Threat actors are also increasingly contacting employees and customers of companies they’ve hacked, to try to increase the likelihood of the company paying a ransom. These calls or emails can be aggressive and alarming. And if a company has been reticent to communicate with these stakeholders, this needs sensitive handing.
 
All of that means internal communications about an incident are ever more important. Comprehensive media monitoring is also critical to understand the conversation about the incident and how your messaging is being received.  Additionally, there’s growing value in reaching customers directly (M&S has been adept, for example, in its use of Instagram).
 
Overall, the most critical thing is to align the communications with the operational response and manage people’s expectations accordingly, both internally and externally. Common mistakes we see in our work (mistakes that we try to help companies avoid) include:

1. Saying too much too soon. It never ceases to amaze me – even after having worked on dozens of incidents – how often forensic evidence evolves over time, fundamentally changing the understanding of the incident. This can be hard to handle from a communications perspective, particularly if you’ve told your customers that their data weren’t stolen, only for them to later discover that they were. Being an unreliable narrator is one of the fastest ways to lose trust.

2. Saying too little for too long. Not knowing all the facts doesn’t mean you shouldn’t provide advice,  both internally and externally, on what to do if, for example, operations have been disrupted. 

3. Getting the tone wrong. Companies are often keen to praise themselves for the speed and effectiveness of their response, or describe themselves as victims. If people’s sensitive data have been lost, they might not see you as the victim, but as being to blame.

4. Forgetting that threat actors read the news too! Communications around a cyber incident are complex, with multiple audiences to consider. One of those audiences is the threat actor, especially when they’re trying to use media as part of their ransom negotiation.

 
We’ve seen plenty of incidents handled well, with customers, suppliers, investors, regulators and staff all updated regularly and honestly, so people understood that the company was doing all it could to mitigate the impact on them. However, we should all – whether we’re M&S or a much smaller company destabilised by a cyber incident – keep learning how best to handle communications around it. 

Mikey Hoare is a crisis expert at communications advisory firm Kekst CNC, and former Director of National Security Communications for UK Government