Vice President of Marketing for Celerium, leading all marketing programs, branding initiatives and partnership outreach efforts.
getty
Cybercrime reports are on the rise. But this isn’t just a technical or cybersecurity issue. It’s also a business and PR issue.
Imagine the impact of a news article announcing that your company was hit with ransomware. How would your customers, investors or other communities react? A ransomware attack is as much a crisis for a business as a financial or personnel crisis, and the impact could be just as severe — if not more.
A ransomware attack could lead to financial, operations, personnel and technological impacts. And attacks remain highly newsworthy. That’s a perfect storm for a PR team.
So, what happens during a ransomware attack?
First, attackers gain entry into a company’s systems and deploy ransomware to encrypt its data and lock up its systems. Attackers then demand a ransom payment in exchange for decrypting that data and regaining system access. The average ransom demand increased significantly — by about three times — in the first half of 2021 compared to the first half of 2020, according to Coalition claims data (via Security). The average ransom demand went from $450,000 to $1.2 million per claim.
Not all businesses that experience a ransomware attack end up paying the ransom. In fact, the FBI is against paying ransoms. However, the financial impacts of a ransomware attack don’t stop with the ransom.
Beyond the requested ransom, the costs of recovering from a ransomware attack can be exorbitant. A recent report from Sophos found the average total cost of recovery from a ransomware attack more than doubled from 2020 to 2021 — increasing from $761,106 to $1.85 million. This is a significant cost that businesses may not be prepared to incur. And then there’s the lost revenue and other financial considerations.
Recent ransomware attacks shine a light on the business issues that communications executives should understand.
• A ransomware attack on the Colonial Pipeline caused a six-day shutdown of the company’s operations. That, in turn, led to panic-driven gas shortages. Consider the loss of revenue, and the loss of face, the company likely endured during that time.
• An attack on Kaseya, an IT solutions provider, was said to impact 1,500 downstream businesses and 60 Kaseya customers. The attackers leveraged a vulnerability in a Kaseya product, which led to a multiplier effect.
These examples may make it seem like ransomware is only a threat to big companies, but that’s not the case. Small and medium-sized businesses are also victims of cyberattacks, according to Datto research (via Help Net Security). Some smaller companies may lack basic cybersecurity hygiene, meaning they don’t have appropriate cyber defense mechanisms in place to protect against attacks.
What Communicators Should Consider When It Comes To Ransomware
1. When an attack occurs, stakeholders want — and need — to be updated regularly.
Depending on the type of business you work for, you may need to communicate with several groups as soon as your company detects a ransomware attack.
Customers, of course, should know what’s happening. But don’t wait until you have a clear answer about how they will be impacted — communicate early and often to let them know that you are aware of the situation and working to resolve it, and let them know how and where they can get updates.
Employees also deserve to know what’s happening. Because many employees are still working from home, they could experience personal impacts. We saw this with the Colonial Pipeline attack, which resulted in a breach of employees’ and former employees’ personal information.
And, of course, you need to keep investors or other stakeholder groups updated as a ransomware attack and the fallout unfolds.
A response updates webpage could help you communicate with the above audiences.
The U.S. government is another group that wants to be informed of ransomware attacks. Representatives from agencies like the FBI recently said that Congress should consider passing a bill that would require companies to tell the government when they’re hit by a cyberattack.
2. Communication with stakeholders, and the public, should follow a crisis communications plan.
As I mentioned above, a ransomware attack is a huge crisis — perhaps one of the biggest that a company could face. Accordingly, communications leaders should have a communications plan in place in case of a ransomware attack. If you know what you’re going to do and what resources you need to pull together, you can decrease the amount of time it takes to respond and streamline the process. The middle of a ransomware attack is not the time to make it up as you go.
The attack may not be over quickly. And you’ll need to address reputation issues. Following a crisis communications plan, communicating early, often and transparently with stakeholders, and considering the long-term impacts of ransomware can help communications leaders adequately address and mitigate long-lasting issues.
3. Avoid giving away information that attackers could leverage or giving attackers a way in.
Communications professionals have a difficult job. They must communicate about a company, its products and services, and the overall brand in a way that builds awareness and interest. It can be tempting to share lots of information (about specific customers, for example), but that could cause your organization to become the target of an attack. Be thoughtful about what you’re sharing publicly that anyone — including potential attackers — can see.
Communications and marketing teams often own the company’s website and digital presence. The website, social media accounts and other channels can provide easy entry points for attackers to get into the company’s systems.
Communications professionals should apply security measures and use best practices on these channels. That means you should adhere to cybersecurity best practices, such as turning on multi-factor authentication, using strong passwords and changing passwords often.
When it comes to ransomware threats, communications professionals not only play a role in protecting the brand’s reputation — they can also help defend the organization.
Forbes Communications Council is an invitation-only community for executives in successful public relations, media strategy, creative and advertising agencies. Do I qualify?
