Cyber security communications: Preparing for and managing a ransomware attack

Jud Moore, Senior Partner and EMEA crisis lead

Last week President Biden made a stark prediction “I think it’s more than likely we’re going to end up, if we end up in a war—a real shooting war with a major power—it’s going to be as a consequence of a cyber breach of great consequence and it’s increasing exponentially, the capabilities.

A rather sobering thought but perhaps not a wholly surprising one.

Closer to home, the Chief Executive of the National Cyber Security Centre last year warned that criminal hackers carrying out ransomware attacks now represents a bigger risk to UK national security than online espionage by hostile states​.

Ransomware is a cyber-attack against any entity with computer systems to inflict enough pain to extort a massive payment from the ‘victim’.

Over the last couple of years – and due in part to the remote working environment there has been a sharp increase globally in ransomware attacks.

recently published report from SonicWall reported that attempted ransomware attacks skyrocketed in the first half of 2021, with 304.7 million attempted attacks seen by the company.

However, the recent Colonial Pipeline incident in the US, and the critical repercussions it could have led to, has pushed the issue of cyber-attacks even further up the political agenda.

Here in the UK, we have followed the global trend with an increasing number of businesses of all sizes and sectors finding themselves on the receiving end of a ransom demand.

Whilst the repressions of many of these incidents aren’t necessarily on the scale of Colonial Pipeline, for a business managing a ransomware incident, it can feel just as significant.

And, even for businesses with a proven track record on managing crises, when faced with a ransomware incident – where systems including emails are down for weeks and there is the real possibility of sensitive or personal data being taken by the threat actor – it can feel in those first few hours and days an overwhelming and sometimes hopeless situation.

At FleishmanHillard, we’ve advised a broad range of businesses and organisations through ransomware incidents – from professional services companies and retailers to travel companies and educational institutions.

Over this time, we’ve had to consistently adapt our approach in order to prepare for and respond to the ever-changing tactics adopted by threat actors.

However, our approach to helping clients prepare for or manage incidents is based on the following principles:

Reputational Priorities – It is essential that all stakeholders see you as a credible source of information.

To maintain that credibility, be consistent in the information you share internally and externally.

Any discrepancy that emerges between what you are telling different audiences can be dissected, lead to questions about the situation and your transparency, and harm your reputation long term.

The decisions companies make before, during and after a ransomware attack will have a huge impact on how they are perceived by their stakeholders.

To Pay or Not to Pay – While some companies have policies on this matter, not enough know where to begin when responding to a ransomware attack.

Often the starting point is ‘we don’t pay’ – either from a legal stance, ethical perspective, a technical point of view (if you pay this may mean you are more attractive to hackers in the future) or a mix of all three.

However, sticking to that line can be a challenge when faced with customers, clients, or suppliers demanding to know how you are protecting their data or wanting a commitment as to when you will be operational again.

Companies should get ahead of the issue via crisis scenario exercises – game-planning the different scenarios the business could face and the consequences of decisions made.

Exercises help establish guidelines around the necessary steps and decision-making processes when addressing a ransomware attack.

Call the Experts – Decisions and communications at the early stage of the attack can have significant implications further down the line.

Whether it’s an update to employees or a notification to regulators, it is critical that companies call on specialist advice from the outset in the face of a ransomware attack – such as cyber insurance, forensic IT, legal counsel, and corporate communications.

This is critical on many levels including limiting potential reputational damage in the long term.

Control the Narrative – Part of your communications planning should include a timeline of when to deploy certain messages to specific audiences.

As with any breach situation, there are more unknowns than knowns in the early stages, and it can take a considerable amount of time before a clear picture emerges.

During this time, you likely won’t have new information, so it’s important to think ahead and plan the communications touchpoints.

The key is to balance keeping the lines of communication open and over-communicating when you have nothing new to say.

These are incredibly important issues to focus on because the trend of virtual work will continue way past the end of the pandemic as hybrid working becomes the ‘new norm’.

Broader access to the internet and innovations will further enable this trend of cyber-attacks and opportunities for threat actors.

After yet another ransomware activation last week, I commented to a colleague, “Where does this all end?” Perhaps President Biden has answered my question. I hope not.


For more information on our expertise and experience in cyber security communications and crisis communications, please click here.

Contact us