Cyber-insecurity is a fact of life now, for businesses of all sizes. This month's global ransomware attack was a harsh reminder that hacking, cybersecurity improvements and phishing emails are all just part of the new arms race between companies and would-be cyber bandits.
The 300,000 computers around the world. Experts have estimated the costs to run at least $4 billion as expenses related to "lost productivity and the cost of conducting forensic investigations and restoration of data" mount. This doesn't take into account the added financial burden of purchasing new software to fight against the latest threats.WannaCry virus infected more than
For startups and other small businesses, the risks are even greater. Sensitive information, leaked and published out of context, can jeopardize funding, drive away your customer base, and send employees running to update their LinkedIn profiles.
According to SmallBiz Trends, 43 percent of cyber attacks target small businesses, and 60 percent of these companies go out of business within six months of a breach. The risks are real and the costs are very, very high.
What can be done?
Step one is to assess the damage. Knowing what sensitive data was breached will help you assess your response options.
Step two is less straightforward -- communicating the attack (and your response) to the world in a timely fashion to contain the fallout. Your response to the press is important. However, the people you work with and depend on don't want to first read your quotes, however pithy, in their newsfeed.
Direct and succinct communication to your key constituencies is crucial. Assess who needs to know exactly what you're doing, before, during, and after you do it.
Where do investors lie in your hierarchy? Employees or other coworkers, board members, customers? Not everyone in your network is created equal, and your communications need to be sent according to relevance to your businesses survival.
Do you have a company intranet, or a database of emails for key partners? Whatever your communications vehicle, it will need to be used to discreetly let people know exactly what is being done to safeguard their interests now and in the future.
Handling the media
Of course, the press may come calling too; you'll need to be ready for media inquiries. And as much as a call from the New York Times or the Washington Post can strike fear into your heart, businesses tend to live and die more often by the tone and focus of coverage in their industry trade publications and among influential bloggers and social media critics.
For example, if you're a biotech company, you should already be paying attention to Adam Feurstein. He's a blogger turned columnist at The Street (he's moving to STAT in June) and has been called "the most feared man in biotech" for his "itchy trigger finger" on social media. He has 64,000 of exactly the right kind of followers who care about the sensitive information of companies in crisis.
Communicating your actions and the context of any leaked information to writers like him should be strongly considered as a media-response priority for any biotech company facing this type of fallout. The same is true for other industries and their respective media outlets.
If the FBI or CIA declare publicly that the hack originated from foreign actors, count yourself lucky, at least from a crisis communications perspective. This can be shared with appropriate audiences and buy you some more time to put your house in order and get back to business.
If not, survival is still an option. It's just not a guarantee, and who you tell, how you tell them, and what you say all matter more than you may know.