Insights

Speaking on Cyber: Leading through a cyber breach

Posted by
Angela Carmichael
Insights

Speaking on Cyber: Leading through a cyber breach

Écrit par
Angela Carmichael

For Cyber Security Awareness Month this October, we’ve been chatting with FHR’s most-seasoned crisis communicators to provide businesses with expert tips and advice to help them better protect their brand reputation before and after a cyber incident.    

In part one of our Speaking on Cyber series, Anne Marie Quinn, Senior Vice President & Partner at FHR, discussed why all businesses should have a cyber communications plan ready in advance of a data breach. Charles Muggeridge, Senior Vice President, Partner at FHR, then spoke about the immediate communication actions that businesses need to take following a breach in part two of our series.  

Today, we shift our focus to the big chair, examining the important steps leaders must take to better communicate with stakeholders when a cyber crisis hits. For this one, we go right to the top, speaking with FHR President and experienced crisis communicator, Angela Carmichael. Over the years, she has helped organizations in various sectors make smart, timely decisions in the crucial moments after a breach, helping them navigate the crisis and move on to reputation recovery more quickly and easily.  

Key takeaways - leading through a cyber breach

  • There is no such thing as over-communication in a crisis; however, communicating the right thing at the right time is key  
  • Understand that the team will look to you to set the tone for how your company should be be perceived as you work through the crisis  
  • Build trust with customers and employees with open, honest communication  
  • It’s not every day (hopefully) that you fall victim to a cyber breach, so seek the advice of experts who have experience specific to cyber breaches  

Speaking on Cyber: Q&A with Angela Carmichael

Why is leadership so important during a cyber breach?

In times of crisis, everyone is engulfed by the chaos around them, so as a leader you need to set the tone for your team. It’s a crazy time and people are looking to you for leadership on what to say and how to behave. When you’re talking about impacts to business continuity and the potential loss of customer or employee information, the CEO absolutely needs to be at the table early on to understand exactly what is happening. At the same time, you have to understand in short order what you do know and what you don’t know. It is critical to bring the experts to the table: forensics, legal and communications to start, who have experience in breach situations and can help you get to the communications decisions you need to make as a leader, faster.  

What’s the best communication advice you could give a leader in a breach situation?

Obviously, no two cyber breaches are created equal, as they have different causes and effects and therefore different strategies for how to best communicate. However, one of the first things to understand is that there is an entire universe of stakeholders your company must communicate with after a breach Ask yourself, what are their unique needs and what should they be hearing from you? You’ll likely need a different cadence, depending on whether you’re speaking to customers, employees or board members.  

How can leaders strike a balance between communicating too much and too little?

How, when and what you say depends on the specific cyber breach situation you're in and the information you know to be true in terms of how you prioritize and roll out communications. What we advise is stick with the facts and with what you know at the time. You want to be open and transparent, but you also want to ensure you’re working with the right facts and avoiding speculation.  

When communicating with a specific audience, keep in mind the point-of-view of the person receiving the information. Letting your employees or customers know about a data breach when you can't give them definitive answers on how it will impact them directly is almost unfair, as it can create a lot of unnecessary stress. It’s also common for employees to talk broadly about what they’re being told about a breach – inside and outside the company – which isn’t very helpful when not much is known. On the flip side, we’ve also been brought into breach-response situations where the company had completely forgotten to communicate with two key audiences: employees and board members.  

When responding to a cyber breach, leaders should also try to strike a balance between what their legal obligation is and a broader course of action that may be needed from a reputational perspective. For example, you may not be legally required to provide customers with identity theft insurance or fraud protection, but this could be an important step in showing them you’re going above and beyond for your impacted stakeholders.

Can a company rebuild its reputation with stakeholders after a cyber breach?

It certainly can, and typically how well the company and its leadership have managed the situation is the best indicator as to how difficult the road ahead will be. I believe in the mantra that leaders can be born in a crisis, and we’ve seen that play out in surprising ways through COVID-19.  

Bad things happen to good people and good companies all the time. It's how you lead through the crisis that will set the tone for how your stakeholders view you moving forward. This is true for both leaders and businesses themselves. While there’s no doubt that suffering a cyber breach is a net negative for a company, it’s also an opportunity to build greater trust with clients, customers and employees by being open, honest and demonstrating that you are going above and beyond to make things right. Communicate effectively from the start and give your stakeholders the information they need in a timely fashion, and I think they will have a lot of appreciation for that.    

For more information on navigating a breach, visit the Canadian Centre for Cybersecurity. To protect your organization from unpredictable threats and cover your workforce devices and IoT, SaaS and email, consider deploying FHR client Darktrace’s self-learning cyber AI. To make sure your team is cyber security aware, train your employees using FHR client Terranova Security’s people-centric security awareness training.

For Cyber Security Awareness Month this October, we’ve been chatting with FHR’s most-seasoned crisis communicators to provide businesses with expert tips and advice to help them better protect their brand reputation before and after a cyber incident.    

In part one of our Speaking on Cyber series, Anne Marie Quinn, Senior Vice President & Partner at FHR, discussed why all businesses should have a cyber communications plan ready in advance of a data breach. Charles Muggeridge, Senior Vice President, Partner at FHR, then spoke about the immediate communication actions that businesses need to take following a breach in part two of our series.  

Today, we shift our focus to the big chair, examining the important steps leaders must take to better communicate with stakeholders when a cyber crisis hits. For this one, we go right to the top, speaking with FHR President and experienced crisis communicator, Angela Carmichael. Over the years, she has helped organizations in various sectors make smart, timely decisions in the crucial moments after a breach, helping them navigate the crisis and move on to reputation recovery more quickly and easily.  

Key takeaways - leading through a cyber breach

  • There is no such thing as over-communication in a crisis; however, communicating the right thing at the right time is key  
  • Understand that the team will look to you to set the tone for how your company should be be perceived as you work through the crisis  
  • Build trust with customers and employees with open, honest communication  
  • It’s not every day (hopefully) that you fall victim to a cyber breach, so seek the advice of experts who have experience specific to cyber breaches  

Speaking on Cyber: Q&A with Angela Carmichael

Why is leadership so important during a cyber breach?

In times of crisis, everyone is engulfed by the chaos around them, so as a leader you need to set the tone for your team. It’s a crazy time and people are looking to you for leadership on what to say and how to behave. When you’re talking about impacts to business continuity and the potential loss of customer or employee information, the CEO absolutely needs to be at the table early on to understand exactly what is happening. At the same time, you have to understand in short order what you do know and what you don’t know. It is critical to bring the experts to the table: forensics, legal and communications to start, who have experience in breach situations and can help you get to the communications decisions you need to make as a leader, faster.  

What’s the best communication advice you could give a leader in a breach situation?

Obviously, no two cyber breaches are created equal, as they have different causes and effects and therefore different strategies for how to best communicate. However, one of the first things to understand is that there is an entire universe of stakeholders your company must communicate with after a breach Ask yourself, what are their unique needs and what should they be hearing from you? You’ll likely need a different cadence, depending on whether you’re speaking to customers, employees or board members.  

How can leaders strike a balance between communicating too much and too little?

How, when and what you say depends on the specific cyber breach situation you're in and the information you know to be true in terms of how you prioritize and roll out communications. What we advise is stick with the facts and with what you know at the time. You want to be open and transparent, but you also want to ensure you’re working with the right facts and avoiding speculation.  

When communicating with a specific audience, keep in mind the point-of-view of the person receiving the information. Letting your employees or customers know about a data breach when you can't give them definitive answers on how it will impact them directly is almost unfair, as it can create a lot of unnecessary stress. It’s also common for employees to talk broadly about what they’re being told about a breach – inside and outside the company – which isn’t very helpful when not much is known. On the flip side, we’ve also been brought into breach-response situations where the company had completely forgotten to communicate with two key audiences: employees and board members.  

When responding to a cyber breach, leaders should also try to strike a balance between what their legal obligation is and a broader course of action that may be needed from a reputational perspective. For example, you may not be legally required to provide customers with identity theft insurance or fraud protection, but this could be an important step in showing them you’re going above and beyond for your impacted stakeholders.

Can a company rebuild its reputation with stakeholders after a cyber breach?

It certainly can, and typically how well the company and its leadership have managed the situation is the best indicator as to how difficult the road ahead will be. I believe in the mantra that leaders can be born in a crisis, and we’ve seen that play out in surprising ways through COVID-19.  

Bad things happen to good people and good companies all the time. It's how you lead through the crisis that will set the tone for how your stakeholders view you moving forward. This is true for both leaders and businesses themselves. While there’s no doubt that suffering a cyber breach is a net negative for a company, it’s also an opportunity to build greater trust with clients, customers and employees by being open, honest and demonstrating that you are going above and beyond to make things right. Communicate effectively from the start and give your stakeholders the information they need in a timely fashion, and I think they will have a lot of appreciation for that.    

For more information on navigating a breach, visit the Canadian Centre for Cybersecurity. To protect your organization from unpredictable threats and cover your workforce devices and IoT, SaaS and email, consider deploying FHR client Darktrace’s self-learning cyber AI. To make sure your team is cyber security aware, train your employees using FHR client Terranova Security’s people-centric security awareness training.

Angela Carmichael
President
With over 20 years of communications experience, Angela leads our talented FleishmanHillard HighRoad team and plays an integral role helping our clients through issues, crisis management and corporate reputation initiatives. She inspires her teams to produce compelling programs that are insightful, creative and drive business success for our clients.
Angela Carmichael
Présidente
Avec plus de 20 ans d’expérience en communication, Angela dirige notre équipe de professionnels doués chez FleishmanHillard HighRoad et joue un rôle essentiel en aidant nos clients face aux enjeux, en gestion de crise et dans leurs démarches pour la réputation de leur entreprise. Elle inspire ses équipes à mettre en œuvre des programmes efficaces démontrant une grande pertinence et créativité, tout en contribuant à la réussite commerciale de nos clients.