Crisis communication after a phishing attack
Phishing is currently a hot topic in the media, and has been so for a while now. Everyone thinks that a major attack will not happen to them, but what if it does happen to you as a company? Then you certainly need one thing to save your reputation as a company: a well thought-out crisis communication plan. But how do you deal with that in concrete terms?
Good crisis communication all starts with putting together a diverse core team that you can call upon in the event of a crisis. By determining the team in advance, you do not lose valuable time and you prevent too many people from being involved.
As soon as there is a crisis, this core team must be called together. They in turn draw up the crisis communication in two parts: internal and external communication.
Internal communications
Internal communication to your employees always comes first. This means that you must communicate with your employees as quickly as possible. It is best to follow the following principles:
- Be honest and transparant
- Provide detailed information about the attack
- Tell your employees what you expect from them
- Keep it simple
External communications
Since the introduction of the GDPR, it is mandatory to report a data breach (where personal data is suspected to have leaked) within 72h. You must report this to both the suspected data subjects and the data protection authority.
It is best to follow the following principles in this external communication:
- Release communication as soon as possible
- Give a concrete status and try to provide a solution
- Accept your responsibility in a statement
- Use social media to distribute your communication
- Use the negative news as a lever to a positive future
- Preventing is better than curing
