In the event of a cybersecurity incident, and especially in the case of ransomware attacks, it is not only important to respond quickly from a technical perspective, but also to communicate strategically just as quickly.

While the technical part involves analysing the attack, limiting damage and restoring normal operations as quickly as possible, communication in many companies remains chaotic, delayed or simply non-existent – thereby exacerbating the damage. Legal reporting obligations and deadlines must also be taken into account. An IT security incident can quickly lead to a crisis of confidence. This can be counteracted with an effective crisis communication strategy.

comm:unications Managing Director and communications expert Sabine Pöhacker answers the most important questions about proper crisis communication in the event of a cybersecurity incident.

Why is cybersecurity not only a technical issue, but also a communications issue?
‘When a cyberattack paralyses a company, it is often no longer possible to communicate at the touch of a button. Nevertheless, employees, customers and partners must be informed – even outside the usual communication channels – as quickly, concisely and comprehensively as possible.’

What role does communication play in preventing cyber attacks?
‘A significant one. The main thing here is to raise awareness among employees and make them realise that even inconspicuous emails can be dangerous and can paralyse a company within a short period of time. Workshops and webinars help to raise awareness.’

How can communication strategies help in the event of actual cyber attacks?
‘As always in crisis communication, prevention is key. We work out different scenarios with our customers in advance, define who is responsible for communication and determine the communication cascade. But it’s not just who communicates with whom and when that is important, but also whether a reactive or proactive approach is required.’

Why do many companies fail less because of technology than because of communication around cybersecurity?
“Because in most cases, they failed to define, map and regularly update their communication structures in advance. When the roof is on fire, no one has time to think calmly about anything, and then chaos is inevitable. Anyone who has an up-to-date crisis manual in an emergency will appreciate this very much.”

What are the biggest communication mistakes during a cyber incident?
‘Not communicating or, even worse, burying your head in the sand!’

How and how quickly should a company communicate – internally and externally?
‘The entire crisis machinery must be set in motion as soon as irregularities are reported. Depending on the severity of the incident, either only the critical areas such as the management team and decision-makers need to be informed, or, as in most cases, all relevant stakeholders.’

Which stakeholders need to be informed and in what order?
“Those directly affected must always be informed first. After that, it must be clarified when those indirectly affected will follow. Clear responsibilities and coordinated content are crucial: external stakeholders such as customers or media representatives do not need all the details, whereas employees need concrete and clear instructions for action.
Legal requirements must also be observed: data protection violations must be reported to the data protection authority within 72 hours in accordance with Art. 33 GDPR, and those affected must be informed. In regulated areas – such as under NIS2 – even shorter deadlines apply in some cases, for example 24 hours for significant security incidents, as well as other industry-specific reporting requirements.”

How can trust be rebuilt after a cyber attack?
‘Trust is rebuilt through transparent and continuous communication. Companies should openly explain the incident and its causes, outline lessons learned and concrete measures, and clearly communicate additional security precautions. If data has been compromised, an apology and honest information about possible risks are crucial. It is important not to cause panic, but to act responsibly, honestly and sincerely.’

Are new roles or processes needed at the interface between cyber and communication?
‘We know that four out of five crises in companies are poorly managed, and that this is due to a lack of or poor communication. That’s why the interaction between IT and communication departments is crucial. Addressing cyber attacks at an early stage and establishing clear procedures for action is an important first step.’

Awareness is crucial, because cyber attacks have long been a daily reality – even in Austria. They are becoming more targeted, more professional and more financially damaging, while phishing emails are becoming increasingly difficult to detect. However, cyber awareness must not end with technology: those who only clarify responsibilities and messages in an emergency lose time and control. Communication strategies developed at an early stage ensure clear information flows, trust in a crisis and thus crisis resilience.

Save the date: IT crises & communication
Sabine Pöhacker, managing director of comm:unications and communications expert, together with experienced IT security experts from Purple-Tec and other speakers, will explain which steps are important in preparation and how you can make your communication processes crisis-proof at a free half-day business brunch on the morning of 22 April. Information on registration can be found in our March newsletter – subscribe here.