Experts have long been anticipating a cyber meltdown moment in the United States. Earlier this week, we saw “the big one” hit with the SolarWinds hack — one of the largest attacks in both scale and scope against government agencies, critical infrastructure entities and private companies. What does this mean for communicators and PR pros looking to guide companies through this crisis?
This is a dynamic, developing story, and communicators must stay on top of it. Researchers at federal agencies, including the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), are releasing new findings daily about the impact of the breach. The two agencies’ latest alerts were issued on Thursday, and CISA is expected to issue a new advisory on Monday.
Who Should Be Prepared?
On Friday, CNN reported a critical development in the breach news taken from the most recent CISA alert, indicating victims of the breach might include companies, entities and organizations that never used the SolarWinds Orion software.
As such, we’re encouraging all companies to take this important moment to ensure they have a plan in place for communicating during a crisis, as well as reminding them of steps to take when mitigating a data breach.
- Monitor Security Alerts from Breached Companies and Federal Agencies — Staying informed and up to date on the latest developments of any crisis is the first step to developing a communications strategy. While the full scope of the SolarWinds hack remains unclear, companies should monitor updates from the NSA, CISA, Department of Homeland Security and impacted companies, including SolarWinds, Microsoft, FireEye and VMWare.
- Compliance, Privacy Regulations and Standards — Security standards vary across industries, and it is important to understand the regulations your company must comply with in the event of a data breach. Organizations within the healthcare and financial services industries must comply with additional regulations around how consumer data is stored and protected. Regulations such as the California Consumer Privacy Act (CCPA) also detail guidelines around reporting a data breach, which if not followed exactly can result in fines for companies that operate in California.
- Notify Stakeholders — In the event of a data breach, your company should have a plan in place for communicating to internal and external stakeholders. A blog channel is a great way to provide updates and resources to customers, employees, and industry partners. Social channels can also be leveraged to direct eyes towards important notifications. Finally, a public relations partner can provide critical strategic guidance to help you sift through the most important information develop messaging that will resonate with your audiences and help you target the best channels for disseminating your updates.
The Next “Big One”
Many cybersecurity experts are also noting the new approach used in this attack, which may indicate that hackers are becoming more sophisticated and that future attacks might be just as big and just as hard to detect. For companies looking to protect their brands and reputations against the next “big one,” our major takeaway is to make sure you have a crisis communications plan in place now. Any delays in putting together a plan or investing in preparedness will cost you money and trust in the long run.
RH Strategic is a Seattle and D.C.-based communications firm with a nationwide presence and additional global reach via membership in the Worldcom Public Relations Group. We provide strategic public relations for innovators in the technology, government and healthcare markets.