Recovering From a Cyberattack: Communication is Key for Counties
Local agencies are a popular target for cyberattacks, since many have not established rigorous safeguards. Imagine what could happen if a cyberattacker seizes control of your data and systems, whether it’s theft and public release of information or a ransomware hostage situation. Resident/customer information, billing and payment systems, 911 dispatch, human resources and payroll records, legal documents, traffic controls, and countless others can go offline or become inaccessible in an instant.
While the technical aspects of recovering from such an attack, or developing safeguards to prevent this crisis are both important steps for counties to consider, a communications strategy should be a key component of any successful cyberattack response. During the response phase, county leaders and communicators will be just as important as those who investigate what happened and restore services.
Cybersecurity experts consistently note three essential communications guidelines:
- Openness with those affected
- Transparency in explaining what happened
- Honesty about the attack’s scope
Sadly, those tenets are frequently missing from cyberattack response guides, and bad situations are made worse by a communications vacuum, rumor, innuendo, and fear.
Your stakeholders will express a range of feelings – outrage, disappointment, worry, and confusion – and will ask pointed questions. How did you let this happen? Are my kids safe? Is my credit impacted? How are you going to get services re-started? When will things be back to normal?
Here are ten ways your county can prepare for and respond to an attack:
- Know Your Exposure – meet with your information management staff and department heads for an in-depth — and brutally honest — discussion about your county’s cyberattack vulnerabilities
- Be a “Nudge” – communications is one of the most important elements of a viable cyberattack response, and as a county leader (whether elected/appointed or staff) your input must be part of the response even if it means sometimes being a pest; continually ask tough questions about the attack’s scope and recovery progress
- Prevent an Attack From Happening – craft an education program for staff centered on spotting phishing and other attack triggers in personal email accounts; this behavior will carry into the workplace
- Highlight the Risk – ensure that staff understands the potential damage to your county and those you serve, recovery costs, and the hit to your credibility when information is stolen or held hostage
- Focus on New Hires – include cybersecurity in orientation materials and briefings, and emphasize your county’s commitment to the protection of its information
- Plan Your Response – make sure your emergency response and crisis communications plans include cyberattack; don’t forget about your staff, which will be affected in many ways
- Identify Your Team – chaos will likely ensue when you’re attacked and you’ll need to immediately gather your designated crisis response team, including your local municipal, FBI, DHS, Secret Service, and other partner agency contacts; pull your team together and build relationships now, as you won’t have time when the attack hits
- Anticipate Outrage – your stakeholders will be angry and confused…and communicating with heartfelt empathy will help you tell your county’s response story more effectively
- Prepare for Questions – though each attack is different, you can begin drafting your answers to questions you’re most likely to be asked by your stakeholders and the media and then modifying as necessary when you become a victim; identify your attack-related spokesperson and train them for a high-visibility response
- Create Response Documents – develop cyberattack holding statements, pre-prepared social media posts, news releases, and staff communication scripts that are written in plain language and can be deployed quickly
Remember to tell your resiliency story whenever possible. Our stakeholders expect us to anticipate bad things, and we can increase confidence by noting our challenges, highlighting what we’re doing to keep information safe, and committing to honesty when something happens.
County leaders have a variety of tools available to help build constituent confidence. Discuss cybersecurity at policy leader updates, hold community and staff forums, start online discussion, and even consider pitching a media story. The more counties focus on cybersecurity, the less likely we are to become victims.