As the world begins to emerge from the long-lasting crisis of the Covid-19 pandemic and the vaccination rollout programme gathers pace, it would have seemed the worst was over, and some form of normality would resume for our beleaguered health care system. However, as recent events have shown, here in Ireland Murphy’s Law holds especially true and it is when we least expect it that crises will invariably hit. The recent cyberattacks on Ireland’s health system have sent shockwaves across the country, with IT departments and communications professionals scrambling to adjust and edit their cyber crisis communications plan. At the best of times, managing a crisis is no easy feat and all those involved in managing this crisis in Ireland’s healthcare sector must be applauded for the grit and determination they are showing in facing down those responsible and managing the fallout of this heinous attack.
As we know, it is not just the operational reality of a crisis that must be managed; it is also managing the reputational fallout. With increased public and media scrutiny, amplified by the power of both social and traditional media, holding people and functions accountable requires a considered approach to communications and is essential to help steward an organisation through a crisis.
Organisations must keep this in mind when they are facing crisis, so that the crisis does not morph into something much greater. When trust is breached, and vulnerabilities are shown, it is important that the public stays on-side. At Reputation Inc, we work with our clients, nationally and internationally, in delivering reputation risk and crisis communications strategies that best help mitigate the operational and reputational risks that are arising in this ‘never normal’ world. While the crises are many, and oftentimes seem “new”, such as the recent surge in cyber-attacks, the principles of good crisis communications will stay constant.
Often, a genuine crisis for your organisation will be something unexpected but if you are vigilant and have an ongoing risk register trends begin to emerge on the types of crises that may affect your organisation. Cyber-attacks have dominated reputation risk scenario sessions in the 21st century as they are a common risk that can face all organisations regardless of size or sector. A comprehensive plan can help lay out the proper communication strategies and approach for monitoring all relevant information, processes for approving and issuing information and, crucially, the roles and responsibilities of an approved crisis communications team. Has your crisis communications plan got a cyber-attack scenario and recommended approach?
Key messages are the main points of information you want your audience to hear, understand, and remember. Effective messaging will align with the interests and concerns most important to your stakeholders. While it is inevitably more difficult to initially set up the narrative and series of events that have led to the breach, it is important for stakeholders that messaging is simple, credible, correct, and delivered in a prompt and consistent manner. Even in times of uncertainty where there are several unanswered questions, it is still important to find and work with the most important and influential voices and amplifiers in your stakeholder ecosystem and then create or update your comprehensive contact list. Being transparent is key to coming out the other side unscathed and sharing what is known and unknown about the situation as it relates to your organisation and its key stakeholders is paramount.
In any crisis, those delivering the message to stakeholders are vital in helping key audiences better understand how the organisation is responding. How a spokesperson handles public and media queries is vital in proving trust and credibility in an organisation. In the case of the recent cyber-attacks, it is important that the designated spokesperson has all the key messaging and that, if possible, they are well-versed in the topic they are speaking on. Your spokesperson needs to be trained to deliver your agreed messages through the chosen channel of communication competently, whether it be live broadcasted conferences, or conducted appropriately through their social media channels.
It is important to be adaptable in crisis times, monitoring and evaluating your efforts on an ongoing basis. This way, if your communication approach must change, then it has the flexibility to do so. We saw this week how the situation evolved daily, and how the government and the HSE had to closely manage this, pivoting their messaging approach when required. By keeping track of learnings during a crisis, you can help make sure that your organisation is more prepared for the future. Each day of a crisis can, and often will, as we have seen, bring new challenges, and it is important that you are agile enough to adapt.
The unfortunate reality is that cyber-attacks of this nature, coordinated by highly sophisticated criminal organisations, are increasingly commonplace in Ireland and many of the country’s leading businesses have been targeted in the last year, often going unreported in the media thanks to strong management and strategic communications programmes. From our experience in dealing with these situations, these criminal organisations are extremely effective in both the approach and timing of their attacks, often targeting companies when they are at their most vulnerable or distracted.
With this in mind and having observed the negative impact that a cyber-attack and the subsequent fallout can have on an organisation’s reputation amongst its key stakeholders, cyber crisis management has become a key focus area for Reputation Inc. Our aim is to ultimately protect the reputation of the affected organisation. We have worked with numerous clients to create preparedness plans for a wide variety of potential scenarios aimed at effectively communicating with key stakeholders throughout the lifecycle of an issue.
Martyn Rosney is a Director at Reputation Inc and leads Public Affairs Ireland’s interactive webinars on Crisis Communication and Reputation Risk.