Is the PR department as worried about cyber attack as the CEO?

Alistair Osborne writing in The Times has reported on comments made by Gavin Patterson, CEO of BT, in which he spoke about the scale of the growing threat of cyber attack. Highlighting concerns around a lack of preparedness he stated: “While I think there is a recognition at board level, I’m not convinced that there is a high technical understanding.”

If this is the case at board level, it raises a valuable question around the extent to which PR departments are adapting their own crisis management plans to include the likelihood of such an attack.

It is not simply a crisis which determines the scale of reputational damage but invariably an organisation’s response. ‘Think back from the inquiry’ is a mantra I’ve heard used to encourage those engaged in scenario planning to focus on how a response could be analysed at a Select Committee hearing. Certainly an extreme approach but a useful reminder of the need to value reputational impact as much as operational; business as usual can resume within days but the public mauling may continue for months.

ADS’ Security Director Mark Philips has written often about the challenges faced to businesses from cyber attack, he makes the point that: “By 2020, more than 50 billion devices will be connected to each other (the Internet of Things), providing a larger attack surface with ‘always-on’ devices and shared data libraries and stores.”

For most organisations used to preparing for crisis – train companies, airlines, airports, hotel groups – there is a combination of corporate memory, inherent understanding, and experienced or well-practiced scenarios which provide logical direction. Statements may have to be adapted but the language is prepared, something which any duty press officer can lean on quickly when the phone goes at 3am. But this is a new kind of crisis which requires a different approach.

Beyond tech companies, the IT department for many PRs is the place where the people who fix ‘the email’ sit. There needs to be a different level of engagement; the infrastructure has to be understood in the same way that a major transport network is understood. The vulnerabilities need to be highlighted along with how a recovery would be undertaken.

Reputational damage is best mitigated through clear communication which demonstrates that an organisation is in control and responding effectively. IT is a technical, jargon-filled dialect of confusion for many. If it is not understood it cannot be translated effectively. If the first conversation that takes place between the PR team and IT is midway through a data leak, the reputational battle will be lost. Both departments need to acknowledge that the time has come to get to know each other better.