The Cyber Brief: communicating through a cyber incident

Merdith: Very happy to be here. Thank you for having me.

Valeska: There's a moment in the immediate aftermath of an incident when the temperature is high, when not much is known, when the media is speculating, there's an intense urge, or maybe just a real need, to say something. How would you be coaching executives through that moment?

Meredith: It's always a delicate moment where, to your point, you don't know a lot, you have to say something. You have to get out there and communicate with your employees, your customers, a lot of times, if there's an operational disruption, the press. So, our counsel and advice is, frankly, a lot of times, to be transparent and to be honest, but not to make promises or get ahead of the facts. Many times, you know, we see our clients, in addition to the overzealous CEO that wants to get out there and call everyone a cyber terrorist, we see our clients want to make promises about the type of data that may or may not have been impacted in early days, and that's one of the hardest things to really know early on. So, we really counsel to stay rooted in fact. Talk to, you know, all of your different vendors that see this, day in, day out, your forensic team, your cybersecurity lawyers, and make sure that you're not saying anything that will get you in trouble down the road. You know, the worst thing is when you have to say something, and then you have to walk it back later.

Valeska: Because there's a real tension, isn't there, between being transparent and then also not, as you say, not having to walk things back, but also not compromising any negotiations with threat actors.

Meredith: Correct, exactly.

Valeska: Not disclosing vulnerabilities in the security of your infrastructure while things are still playing out as well, or also exposing yourself to regulatory risk. And I think you make a really good point—to actually being able to understand what data has been compromised and the impact of that can often take weeks, if not months.

Meredith: I think people think in their minds that when a company gets hacked, the hacker, like, reaches in and steals this nice little neat spreadsheet of, like, name, address, telephone number, and it's all very organised. But in reality, these, in particular, ransomware attacks tend to be very smash and grab, where the bad guys are just trying to get their hands on whatever possible before they're, you know, caught, before they get detected. So, oftentimes they're exporting, you know, yes, spreadsheets, but, like, PDFs of invoices and employee records and things that are just unstructured in nature, so they have to be reviewed manually, by hand, a lot of times. It could be 1000s of those types of documents. And in particular, if you're a B2B organisation, you think, Okay, I've got to scan those documents for, like, sensitive information. Then I've got to correlate the sensitive information of an individual, maybe to a customer of mine, which is a different organisation. So, there's just a lot of nuances and complications, and I get how frustrating it can be, in particular for the public, for the press, when they're like, Why can't you just tell me if my stuff was taken, and it's just not that simple.

Chris: Meredith, do you have a view on who should be the spokesperson for a company in an incident?

Meredith: I think it depends, not to give you the typical communications person type of answer. I do feel like the house type of moments require top dog, you know, CEO-level type of attention, just to show that, you know, the organisation is really taking it seriously. It's all hands on deck. Then again, you know, we also deal with incidents that involve third-party vendors. It's not necessarily a breach of the company's own systems, not that it makes it any less important, but I don't think that's necessarily one where the CEO of the company needs to get out there and start making phone calls, right, to customers of theirs. So, I worked at a company before coming to FTI, which you're probably familiar with, Equifax, very large global credit bureau. They had a huge incident in 2017, I think at the time, it was one of the largest data breaches of all time. And of course, that was one that really required, you know, a CEO, and even you know, in some cases, board-level public spokespeople. So, it really depends on the type of situation.

Valeska: Do you think organisations should apologize in a cyber incident?

Meredith: Always, of course! If anyone tells you otherwise, that's kind of like the lawyers getting to take over. And I love cyber security lawyers, like, usually we're so on the same page, and we're, like, best friends. But this concept of, like, if you say, I'm sorry that this incident, like, disrupted your day -to-day lives, or caused, you know, any type of inconvenience, and they're saying, like, That's opening too much legal risk, like, get new lawyers because, I mean, it's just human. I'm not saying, like, we should go out and say, like, I'm so sorry this ever happened. You know, so sorry we didn't prevent this from happening. I'm so sorry, you know that we didn't patch that vulnerability we should have patched six months ago. But saying, like, I'm sorry for the disruption this incident has caused. Like, absolutely, yeah.

Valeska: We see that come up a lot, where people get really fixated when they're developing their comms on whether or what they should say about how the incident arose in the first place, as opposed to really just focusing on the impact, especially in the early days, where that's really all that is known. It's the immediate impact that it's having and the very real impact it's having on individuals and other stakeholders.

Meredith: Of course, yeah. I mean, if it's, I think about, you know, incidents we've worked on in the States, where direct, like, consumers, have been affected because they didn't get their product on time. They couldn't, you know, fill up their gasoline tanks because of an incident, whatever it was, and, like, for the company not to say, I'm sorry that this happened and you're experiencing this, like, it's not a human reaction.

Chris: So, if we think about how incidents evolve, there are a huge number of stakeholders that an organisation needs to communicate with. I mean, just some examples, obviously internally, employees, the board itself. Then you look external, often you'll have customers, suppliers, the market regulators, government agencies, the list goes on. How should organisations think about prioritising communications with those stakeholders?

Meredith: It's a great question. So, it's one I get all the time, and as an employee of a company that went through this, I tend to all of those stakeholders are really important. Not one is more important than the other, but your employees, and I always find myself saying this, have the potential to be your best brand ambassadors. They're the ones that have to sit around the dinner table, have to get on the aeroplane and tell the person next to them where they work, and if your company is in the headlines for a cyber crisis or for any other type of crisis, you want them to feel empowered and confident and comfortable saying the right things. If they aren't equipped with the right things to say, they oftentimes feel pressured to fill a void and kind of go off script, which is the worst thing that I think can happen. So, I think employees are often the most forgotten stakeholder group in these incidents, and to me, they're one of the, if not the most important, but you're exactly right. The list goes on. There's so many stakeholders and there's so many competing priorities during an incident, that it's totally overwhelming. In particular, we see, like, the B2 B type of companies that are now getting hit over the head with security questionnaires and requests for indicators of compromise and requests for CISO to CISO phone calls, triaging those in the hundreds, sometimes even 1000s, on top of media inquiries, regulatory inquiries, employee questions, holy cow, it's a lot to deal with. So, my advice, and what we tend to spend a lot of our time working on with our clients before an incident happens, is setting up, like, a command centre, if you will, and the infrastructure to deal with those kind of, you know, escalations and that kind of onslaught of inbounds, is something that we spend a lot of time doing.

Chris: And just thinking about the practicalities, these incidents are unfolding often over a very short timeframe, there's a need to engage with multiple stakeholders. Do you advise clients to try and take stakeholders and do those kind of updates on a group basis, or should it be done individually with each category?

Meredith: Yeah, I think, look, the message, I think, always needs to be tailored to the specific group, like employees might need to hear something a little bit different than investors, for example. But what you really want is for the message to be consistent across the board. You cannot tell your customers one thing, the regulators something else, the press something a little bit different. I'm not saying the words need to be, like, you know, exactly aligned, but the basic messaging has to be and the facts have to be the same. So, I think where we see companies, you know, get into trouble is when the sales force goes off the script a little bit, and starts to tell top-tier customers something a little bit different. There's a swirl that goes on. We know that competitors in different industries talk to each other and share information. So, for me, it's really important not necessarily to, like, batch update people, but to give them the same set of facts. You know, a lot of times our clients are experiencing disruption that affects corporate email or CRMs or marketing software that is used to send out those types of updates. So, we'll help them to stand up a microsite, and that can be a great place to post things for, you know, the media, so you're not fielding 1000 different reporter inquiries, and for customers, in particular, if you're trying to give updates around a restoration timeline of a product or service. So, that's something we lean on a lot of times as well.

Valeska: We also often hear that that in these sorts of incidents, organisations realise that they actually can't mass communicate with all of their customers, because when they try to do that, it, it flags with spam and there are various other issues they have to contend with. How do you think about dealing with those sorts of issues?

Meredith: Well, I try to figure that out before a cyber incident happens, because it's really difficult to build the plane while flying. It's the same thing for, you know, trying to triage all those inbounds that are coming in at the same time, building an infrastructure and system around that, building a microsite in the middle of a cyber incident when things are down and your IT team is focusing on a zillion different projects. All of those things need to be, like, settled in advance. Again, like third-party marketing applications, breaking customers down into different tiers or groups by industry or by revenue size, or leaning on relationship managers and sort of the frontline customer service people can be great as long as they're equipped appropriately with the right talking points and, you know, FAQs and escalation path. Using them as a first line of defence can be really effective, but my best piece of advice is to test that beforehand.

Valeska: Can we talk a bit about whether and how the dynamic changes in a supply chain incident? Because there's obviously a need then to communicate both with and about the supplier. So, how do you think about that?

Meredith: It depends on if I'm working for the supplier or if I'm working for the downstream victim.

Valeska: Let's talk about both.

Meredith: In the midst of the, you know, Salesloft Drift incident, we've seen, in the Oracle EBS vulnerability being exploited, again by CLOP, I think about, you know, what the downstream victims are going through, and we're working for a lot of them right now, and it's kind of the same process and playbook, if you will, nowadays, as if you were the victim yourself, because it's still your data. You still have your name named and shamed in a lot of these cases. You're still extorted in many of these cases, and you still have to make, because it's your data, the end notifications and regulatory filings as if it were your own breach, right? Well, it is your own breach, but as if it were your own attack or incident. So, I think, in many ways, you know, the strategy then becomes Okay, I don't want to be out there first. I don't want to say anything more than the rest of the victims of this incident are saying, because I really want to be middle of the pack and not get more ink and make it more about me when it's really this third party that had the incident. So, we try to kind of help with that strategy to the extent possible. And then I'd say, on the flip side, if I am, you know, we've been on, we've done this a zillion times, too for the, you know, MSSPs, or the SAS companies, or infrastructure as a service companies that do end up getting hit and then have to support the downstream victims. I would say in that case, you know, communication is key. Transparent communication is key. Regular updates are key, not trying to downplay the situation is very key. And then any support that you can offer to the companies that are having to deal with the notification process because it's cumbersome, it's expensive. That's really welcomed as well. I mean, when you think about an incident as big as, like, Drift, for a company that's, I think, PE backed and not huge, like, obviously they can't pay for the notifications to all, you know, individuals, that's just not feasible. But like, you know, can they be giving regular updates, like, regularly share, and I think they are, right, regularly sharing best practices, all of those types of things are really do go a long way, in particular when they're transparent from the get go.

Chris: So, Meredith, are you finding that threat actors are weaponising the media?

Meredith: I remember one of the first incidents I worked on with the Maze threat actor group. They threatened to hold a press conference with the media as part of, like, the pressure they were putting on this company, and they had, like, specific journalist names they were going to call to tell them about this incident. So, I would say they continue. They always have tried to weaponise the media. I think that's almost like a standard part of the playbook, as we know, they're going to call certain reporters or try to sell their story to certain reporters. Their Rolodex of media, cyber trade and mainstream media journalists is just as good as mine. So, we kind of tell our clients to plan for that. What's newer, I think, is the stunts we're seeing around, you know, everything from harassing executives, using AI to create lewd photos of executives and send those out to employees, sending death threats to executives' homes, swatting, of course. Social engineering helped all of the things that we're seeing play out right now with, like the Scattered LAPSUS Spider Shiny group that I don't even know what they're called now, but you know, we see the public back and forth spats between the group members doxing each other on Telegram and Discord. I mean, that's all newer and interesting, of course, but also keeps law enforcement close on their heels, which we've seen a lot of take-downs these days. I would say—sorry, this is a long-winded answer to your question— but what I think is really interesting with these groups as post law enforcement takedown of, you know, LockBit and BlackCat and ALPHV, you know, we're seeing them really start to splinter off and become more disorganised. I think to some extent the old tried and true groups were pretty, like, true to their word, you know, you paid them. They went away. They didn't leak data. They didn't come back and re-extort you. Now it's kind of a new day and age where we're seeing them renege a lot. We are seeing them come back for second and thirds. We're seeing them extort downstream customers of the victim that they got a payment from. So, it's just kind of like the Wild West right now.

Valeska: You spoke a bit earlier about the importance of being prepared and testing some of the systems in advance. Can you talk a bit more about how organisations should be thinking about their comms strategy in advance and some of the gaps or challenges you see in an incident that can actually be addressed ahead of time as part of those preparedness activities.

Meredith: I would say, anytime we get asked to develop a cyber security crisis communications plan, the conversation always starts a little like this: Hey, do you have some templates that we could use for if and when we have a ransomware attack. And, like, just, you know, just some media statements and some, like, letters we could send to our customers. And like, my god, that's the easiest part of dealing with crisis communications during an incident. What really we see companies struggle with and where they tend to fall down is executive decision making. It's setting up work streams where information is properly being relayed from the negotiation work stream to the containment and remediation work stream to the comms team that is drafting responses that is based on that set of facts, and then, kind of like the approval and again, decision making, when do we go out and say something proactively, versus when do we stay reactive and kind of hope that this doesn't go public? Are we breaking ourselves into jail and making ourselves a headline when we don't necessarily need to be. When does the board get involved? When should they be involved? Those are still kind of like the basic blocking and tackling things that we really see teams struggle with when it comes to this type of crisis. And I think it's because you've got a lot of different functions of the business that have to come together in a very high-pressured situation, and they don't work together on a day-to-day basis, right? Like, IT and infosec doesn't really tend to work with, you know, crisis comms or communications teams, or even, like, the legal team on a day-to-day basis, and they're certainly not, like, in front of the board, and they kind of get thrown in front of the board, right, in these high-pressure situations. So, I think working a lot of that stuff out ahead of time, meaning, who sits over this work stream? How do we get together and meet, do we need to do that hourly, once a day, twice a day. Who's the final decision maker on what we say to the press? Like, then hours we have spent and wasted on live editing calls with, like, chairmans of boards and GCs and CEOs, like, debating whether we're gonna say cyber incident or ransomware. Like, it's real. Those are real struggles. I've also seen another real life story where, you know, in the ransom negotiations, the team is told by the threat actor, do not report this to law enforcement or otherwise. You know, game over. We're not negotiating. We're going to leak your data. And then the comms team puts out something that says We've hired third-party cyber security experts, and we notified law enforcement. It's, like, why are those two teams not talking? You know? So, that's what our, that is what our FTI crisis management plans and crisis communications plans tend to focus on. I talked earlier about putting that infrastructure in place to stand up a real life, you know, tiger team, or SWAT team, or command centre, whatever you want to call it, to triage and mount inquiries, because we know that is one of the hardest things about incident response. So, that's what we tend to focus on at FTI, when we're building out these plans, not the, like, templates that you can just probably ChatGPT, yeah.

Valeska: And also, I think, getting the right information really quickly out to frontline workers as well, across all of the different channels, we often find that at least some channels are overlooked in the process, as opposed to if you've actually prepared and mapped that out in advance.

Chris: Just thinking about the tone an organisation takes in its communications. And we touched a bit on this in the context of talking about the apology, but the company or the organisation will have a voice, a style of communicating generally, but clearly there are very serious risks, legal and otherwise, associated with communications. How should an organisation think about balancing that to make sure it's authentic in its communications, but not exposing itself to unnecessary risk.

Meredith: I always like to look at statements from, like, these kind of more tech startups that are usually, like, very quirky and very unique in the way they communicate, you know, very punchy, and then all of a sudden they're, like, Upon discovering this incident, we immediately activated our incident …? It's so buttoned up. And you're, like, What the heck is this? Like, some lawyer; I feel like I'm knocking on lawyers, and I swear …

Valeska: We're used to it.

Meredith: … I get all my business from lawyers.

Chris: We didn't pay you to say that.

Meredith: Like, someone stiff wrote this and you're like, What, you know, what happened to that partnership between legal and comms, right? Like, that is such an important part of this ecosystem and responding and supporting these companies. So, I think it's about staying true to your authentic voice but, again, having your comms and legal team and your comms and legal advisors really working together to strike the right tone, sound like you, but also not say things that are going to, like, get you in trouble or, again, getting ahead of the facts. Like, it's okay to still sound normal, not like a robot. That's part of our job, right, is to kind of like work together, I think, to advise the clients around that.

Valeska: Can we talk about AI and deep fakes? We've made it this far without saying the words AI.

Meredith: Yeah.

Valeska: But you mentioned before, sometimes seeing fabricated lewd photos of executives. And over the past year, I think we've seen a number of incidents that have been enabled as a result of deep fakes. And one of the scenarios we've been thinking deeply about is where, for example, there's a deep fake of a senior executive, say, a CEO of a public company that is making public statements. How do you think about responding to that sort of incident where there's a real question around trusting the executives that are going to be then coming over the top of the deep fake to make further statements to correct the record?

Meredith: We're actually about to do a tabletop for a large organisation that is this exact situation. And I think it's about really knowing the audiences and the channels by which you typically reach them for the company, right? Like, if you're a healthcare organisation and it's the CEO, the hospital organisation. How do you, you know, quickly and authentically get in front of your workforce, your patients? I'm just using that as an example because it's top of mind for me. So, whether that's, like, in-person town halls, where there's a recording of the actual person there that you can distribute through, like, authorised channels. This is a case where, I think, like, digital targeting and some of the tools that you know, all of our teams use these days to, I think, kind of figure out where the news is being amplified and redirect through various search engine optimisation tools. This is so, like, not my thing. Like, I actually would really lean on our digital team for that, and then just kind of being clear and honest about, like, this was not real. This is what's real, and setting the record straight, this is where I'd lean on my trusted journalist relationships too.

Valeska: Doing more doorstop interviews, where you've got other people and traditional media helping too.

Meredith: Exactly.

Chris: Well, that's all we have time for today. Thank you so much for that, Meredith, that was fascinating. But before we wrap, can we ask one final question?

Meredith: Of course! This has been so much fun, you guys.

Chris: Well, hopefully this one's fun too. Do you have a favorite cyber book, podcast, movie, TV show?

Meredith: This is a great question. I have an actual favorite book. I'm gonna throw it up on screen here. It's called, I just finished reading it, The Ransomware Hunting Team. It's so good. I don't know if you guys are familiar, I'm sure you are, with the website BleepingComputer, but it's kind of about how that started. The subtitle of it is 'A Band of Misfits' Improbable Crusade to Save the World from Cybercrime'. It's really good, and it was fun because it's got some of the cases that I actually worked on in it. So, it was neat to go back and read and be like, Oh, wow. Like, that's what everyone else thought. Very, very cool.

Valeska: Brilliant. Well, thank you so much, Meredith, this has been fantastic. Really appreciate your time.

Meredith: Amazing. Thank you, guys, for having me.

Valeska: I thought that conversation was great. One of the points that really stood out to me was the sheer volume of requests that organisations need to intake in an incident from a variety of different stakeholders, and the need to make sure that the infrastructure for dealing with that is set up in advance of an incident, and also making sure that that infrastructure is actually tested so that you know that it works, especially if your usual communication channels has been disrupted.

Chris: Yeah, I agree. And I think the other thing that I think was really important that Meredith stressed was to not run ahead of the facts and to be consistent in your communication. You will need to tailor that communication to different audiences, but it has to be consistent across all of them. You can't be telling different people different things.

Valeska: Yeah. And also, I think, the importance of really elevating communications with employees as well, that idea that they are your brand ambassadors and are going to have so many different touch points with the community at large, as well as all the other stakeholders we've spoken about. I think it's an area that's actually often overlooked in comms.

Thanks for listening to this episode of The Cyber Brief. Check the show notes for resources from this episode, or visit allens.com.au/cyber for our latest thinking. Don't forget to follow, to keep up to date on what's ahead for cyber risk governance and emerging threats as we interview some of the most respected voices in the industry.