Jude McCorry, CEO of Scottish Business Resilience Centre (SBRC)

By Jude McCorry, CEO, Scottish Business Resilience Centre

Businesses have experienced a rollercoaster of challenges over the last year. Cyber security has been a big part of that for many organisations – recent research from the NCSC found that cyber attacks rose during 2020. In Scotland alone, I am sure many of us can name an organisation that has fallen victim to some sort of incident.

But, while most conversations around ransomware and phishing attacks focus on the impact on a business’s operations and IT systems, there is another issue at stake: reputation.

Warren Buffet said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” This sobering statement is what businesses must consider when looking at their cyber security because if their procedures are not up to standard, reputations can be shattered in an instant.

Planning for the unknown is a challenge. But not as challenging as facing a cyber security crisis which may cause lasting damage to your organisation’s reputation.  

Put the leg work in

The unfortunate thing about planning for a crisis is that you never know how or when it will occur. This can make it particularly hard, as you need to consider a variety of incidents that might impact the organisation. As with any crisis, defining and dividing roles and responsibilities across a core team is important, but when it comes to dealing with a crisis related to a cyber incident, there are other steps and activities to consider within the planning/preparation stage.

First up. Take a temperature check of the company’s IT security procedures and standards.  Make sure you are aware of the data encryption levels within your organisation and pinpoint any security gaps that could be harmful in terms of reputation.  Work to resolve these, or at least limit the potential impact.

It may be worthwhile to gain Cyber Essentials or Cyber Essentials Plus certifications as this will demonstrate to your stakeholders, customers and partners that you are invested in IT security.

Define your message and test it

Information and content will form the bulk of a company’s armour during a crisis.  In the eye of a cyber storm, you simply won’t have the bandwidth to create these documents from scratch, so block off some time now and get some templates together. Store them in a secure location that is accessible in event of an IT disruption.  You will need:

  • Draft responses for a variety of scenarios and timeframes – but certainly essential information to get you through the first 48 hours.
  • Content for the company website– including FAQ and/or a hotline for customers or stakeholders to call.  This can be pre-uploaded and hidden, ready to be ‘switched on’ if needed.

While these documents may not be the finished article, they should provide a solid foundation upon which the organisation can conduct a rehearsal to test possible scenarios. This is where you identify and involve key decision makers – from the CEO to the IT team.  Involve them in scoping the messaging around a scenario to ensure it resonates and they are comfortable in delivering it externally.

In the eye of the storm

During a cyber incident, things can move quickly, and snap decisions can be made about a company that may harm its reputation.  A common mistake is not acting quickly enough and/or not being visible while doing so. The way an organisation responds in these situations can ultimately make or break the business – no matter the work that has been done in the background.

Having the CEO front and centre as the face of the business is important to avoid any accusations of going to ground.  The CEO should be:

  • Accessible to the senior team and key stakeholders (that includes valued media contacts)
  • Trained and well-practised in crisis scenarios
  • Known and trusted by targets audiences.

When activating the messaging, clarity, honesty and simplicity are vital. Building these threads into all communications will ensure that audiences have the information they need in a reasonable time, which will ensure that trust in the brand remains steady.

Focus on learning and recovery

While we tend to talk a lot about preparation and the act of the crisis, less is spoken about the post mortem – which is just as important. This phase brings you full circle, by considering what went well, what didn’t, and what needs to change for next time.  Think about:

  • Timing: what information was shared, when and to whom?  
  • Tone of voice:  how did your organisation come across?
  • Spokespeople: Did the team work well together? What training do team members need for taking on this role in future?
  • Processes:  any gaps or misunderstandings?
  • Employee engagement: Were staff supported throughout and reassured where possible?  

Get back on track

It’s really important, while you are doing all of the above, to ‘zoom out’ a bit.  Focus on the big picture which is protecting the reputation of the business and returning to some semblance of normality.  Understandably, some activities might need to pivot depending on the impact of the incident, but this strategy will be central to re-establishing your organisation’s reputation.  Try to weave this positive narrative through all activities and encourage colleagues to instil confidence and capability.

Investing time to prepare, act and review will ensure that the business and your people are ready to limit the impact of any cyber security attacks.