Raising awareness, counter attacks, and safeguarding communications operations
Cybersecurity is one out of five trends identified by the Communications Trend Radar 2022. Cyberattacks have become “the new normal” and can cause substantial financial and reputational damage. Due to increased digitalization, remote work, unapproved software in the workplace, and deepfakes, organizations have become more vulnerable. Communication departments must systematically address cybersecurity threats and need to secure their own digital infrastructure and CommTech stack.
Why we have put cybersecurity on the agenda for 2022
Anke Schmidt, Beiersdorf
“ We expect cybersecurity incidents to be the norm rather than the exception. It’s something an organization must be prepared for.”
Although cybersecurity isn’t a new topic, it has become increasingly relevant in recent months and will shape the near future. The number of cyberattacks and variants of malware are rising rapidly and new threats such as deepfakes are emerging. Flexible work environments and remote work have exacerbated the risks – for example when private devices (“bring your own device”) are used for work, when unapproved software or hardware (“shadow IT”) is installed, or when video conferences are the norm. Often, cyberattacks target at employees as the most vulnerable point in the security architecture of an organization.
Preparation is everything
How could communication departments prepare for cyberattacks?
- Raising awareness: Employee misconduct (mainly unintentional) is still one of the biggest risk factors for cybersecurity. Corporate communication professionals can help to raise awarenessof cybersecurity threats that employees and other stakeholders aren’t sufficiently aware of yet (e.g., deepfakes). Although this seems self-evident, research shows that not all companies are taking these precautions. As a matter of fact, only every third communication department across Europe is addressing cybersecurity threats in internal communications and only every fourth is educating employees. (European Communication Monitor 2020).
“ Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets. ”
- Prepare crisis communication: Prior to potential cyberattacks, communications departments should establish and maintain crisis communication capabilities, e.g. a crisis team, and establish a crisis information knowledge database including FAQs.
- Set up a crisis communication infrastructure: Corporate communications should prepare backup structures including alternative communication channels outside the general IT infrastructure – in case the corporate website or the company’s social media channels are hacked. These alternative channels are then needed to stay in touch with stakeholders and to inform the public. Regular drills and testing are advised.
(Carsten Tilger, Henkel)
“ Back in 2017, we became aware that a malware attack via our email systems was imminent. Our first instinct was ‘Let’s write an information email’. But obviously, this wasn’t an option. Luckily, we had set up an IT tool ten years ago which was separated from our email client. It allowed us to display a warning message on 250 screens in cafeterias and production sites. We also had a tool for displaying the information on the screensavers of all computers around the world.”
In the event of a cyberattack, what is recommended?
In the unfortunate event, that an organization has become the victim of a cyberattack or data theft, the research team recommends four steps:
- Create transparency: Corporations need to decide in a first step a) what information to disclose and how to frame the message, b) when to disclose, and c) how to disclose (channels). Recommended strategies include accepting responsibility, avoiding downplaying the incident or blaming others, and addressing the feelings of vulnerability which affected subjects might have. Early disclosures are desirable and might allow public opinion about the incident to be framed.
- Brief the staff and ensure sufficient resources for handling customer requests and media enquiries after the disclosure of the cyberattack.
- Deliver the message: Ideally, the CEO or chair should inform the public to emphasize that the incident is being taken seriously.
- Sharing information about cyberattacks with other organizations is crucial and can help others to withstand further attacks. A platform could be established for sharing information with other organizations.
Taking care of our own turf: Securing the communications infrastructure
Today, internal and external workflows in communication departments and stakeholder communications heavily depend on a variety of digital tools and platforms. The so-called CommTech, however, are often “lightweight infrastructure” (also called shadow IT). They are installed by communication practitioners on their computers or online services provided by small start-up companies serving the PR industry (Zerfass & Brockhaus, 2021). It’s crucial to look at every CommTech investment in communication departments from a security perspective to protect the communications infrastructure and to ensure continuous operations.
Yet, only few communication managers across Europe are involved in the implementation of security measures or guidelines in their own department according to the European Communication Monitor 2020:
About the study
For the second time the Academic Society for Management & Communication presents the Communications Trend Radar – an interdisciplinary and scientific study on the most important trends that will influence communication management in the near future. It analyzes changes in the areas of society, management, and technology. For 2022, the team led by Professors Stefan Stieglitz (Business Information Systems) and Ansgar Zerfass (Communication Management) identified the trends: Language Awareness, Closed Communication, Gigification, Synthetic Media, and Cybersecurity.
The trends were selected and scored on a scientifically sound basis. More than 100 sources from research and practice were included. Selected aspects will be further researched in in-depth projects. The study aims to support communication managers in setting the course and guide decisions.