The past year has been littered with cyberattacks affecting major corporations around the world. From WannaCry to Petya to Cloudbleed, the attacks were as ominous and disastrous as their names suggest: Collectively, companies have lost millions of dollars in the aftermath of these attacks, and they continue to face the threat of other such malware attacks striking at any moment.
That underscores the twin challenge businesses face in cyberattack recovery: Even as they’re cleaning up the latest mess, they can’t overlook the threat of a similar attack striking in the near future. There’s no time to let your guard down. In this process, communication is key, and marketing teams inevitably find themselves thrust into uncomfortable territory: Saddled with a brand story that can’t be ignored, they are effectively forced into crisis management mode, coordinating with business leaders and IT to mitigate lasting brand damage and communicate critical messages both internally and externally.
In 2017, no enterprise marketing department can run the risk of operating without a cyberattack response strategy. Marketers should have a game plan ready to implement the moment one of these attacks strikes. This game plan should address two key fronts.
In the aftermath of a cyberattack, there are typically two external parties you should prioritize in your communications: your customers and your shareholders.
Both have a personal interest in the consequences of the cyberattack. Customers will want to know whether their data has been stolen, and shareholders will be watching closely to make sure the company’s marketing response assuages their fears and mitigates the attack’s impact on its own stock value. Marketing departments will need to coordinate a communication strategy that addresses these respective groups individually, providing transparent updates on the steps they are taking to mitigate damage and protect sensitive consumer data—or, if those losses are irretrievable, to relay exactly what information was collected in the data breach.
For marketers, the task of scrambling to gather information in the wake of an attack will prove chaotic at best, and disruptive at worst, especially as business leaders and IT work to address the breach and examine its implications. Some communication and consultation will be necessary, but AdAge recommends that marketers sit down with IT prior to an attack to get a base understanding of the company’s cybersecurity front and its history of attacks, including how past incidents were responded to. This is also a good opportunity for marketers to ask IT how they can support the company’s cybersecurity initiatives both in their general day-to-day activities and in the midst of a cyberattack recovery.
With this information in hand, marketers can put together a basic procedure that will direct their actions when a cybersecurity issue arises. Instead of backtracking to step one and wasting IT’s valuable time, they can step into the fray, gather the latest information, and begin to implement their external communication strategy.
Business leadership should work closely with marketers during the recovery process to align the company’s messaging and put business leaders at the front of these communications. In most cases, security attacks that affect shareholders and/or customers will need to be responded to from the company’s executive leadership, so their voices must be prominently featured in this marketing messaging. Marketers will want to present executives with a range of options for communicating this message externally. While press releases are a standard asset to use in this scenario, especially when it comes to shareholder communications, the company might also choose to publish executive comments to social channels, even through social video, to speak directly to customers and address their concerns.
If possible, try to discuss these options with business leaders in advance of an attack so that they understand the options and can identify certain preferences in terms of procedure. If you wait until the attack strikes, the response will only be tougher to coordinate.
Image attribution: Andrew Neel
Marketing will largely control the company’s public-facing response to a cyberattack. But it will also often play a role in managing internal communications and education among employees, especially as the recovery progresses beyond the initial response.
While every human resources department will be leaned on to provide immediate directions and communications to employees, marketing may be called upon to assist in raising employee awareness about their role in various security threats. As Forbes notes, employee error is one of the top security threats any company faces, and these employees could still be exploited by malware after a cyberattack is believed to be resolved.
A company’s marketing response can only do so much to mitigate the damages that stem from a prior attack, but it can be a valued asset in avoiding future incidents, potentially saving a company millions of dollars. Marketing may need to devote resources to an internal awareness and education campaign focused on employees. Through the use of newsletters, webinars, and other distributed content, marketing teams can play an active role in preventing the next attack from taking place. In the process, the company can develop a more security-aware workplace culture that recognizes security challenges and empowers employees to do their part in protecting the company.
No company is safe from today’s cybersecurity threats, no matter how good their security measures may be. That’s why a response plan is critical to surviving these attacks. The best plans will activate every department in the company to help weather the storm, and marketing is especially well-positioned to be a difference-maker in trying times.
For more stories like this, subscribe to the Content Standard newsletter.
Featured image attribution: Avi Richards