Criminals have spotted this weakness. The FBI has reported a fourfold increase in cybercrime, with complaints up from 1,000 to 4,000 a day. In the UK, Ciaran Martin, chief executive officer of the National Cyber Security Centre, has said: “Technology is helping us cope with the coronavirus crisis and will play a role helping us out of it, but that means cybersecurity is more important than ever.”
But are organisations paying enough attention? Understandably they are focussing on the more visible issues such as protecting revenue, ensuring operations run properly, looking after furloughed staff, and so on. They’re exposing their organisations to unnecessary risk. Many of the breaches won’t come to light immediately, but when they do, they could be highly damaging for the organisations involved.
Specific, personal, simple, relevant, endorsed
We must recognise that this is as much a people and communications challenge as it is a technology one. Corporate security depends on people understanding the risks and taking the right actions to manage them. So, what to do, and how to do it? Here are six stages for effective comms in an IS crisis.
Focus on here and now
The challenge right now is to reshape existing training on cybersecurity for a remote virtual environment, and to engage people in it while they have many other demands on their attention. Having spent much of the past few weeks working with some of the UK’s largest organisations on precisely that challenge we believe success here comes from being specific to current circumstances.
Tell people why, and how, the risk appears
Explain the specific risks to look out for. Explain to people why this is a major risk right now. We’re seeing a large number of phishing emails about government grants, free school passes, requests for donations, and so on. Think about the five or six most critical risks for your organisation and share those with people. Update them regularly as the risks evolve.
This is a good opportunity to ask people to ‘spring-clean’ their digital footprint. Typically that involves closing dormant accounts, removing confidential data like passport and driving license pictures from email accounts, and deactivating geo-tagging from apps. Right now, we all know exactly where we are – home – but when this has passed you don’t want long forgotten apps tracking your every movement.
Make it personal
People don’t engage with people telling them what to do, so avoid an overly didactic approach. Instead, make it personal. Share stories about real people – people like them – who have been tricked. Get people involved. Show them a current threat and ask them to think about how to react. Find ways to engage them at a more personal and emotional level than a purely theoretical one. Ask them to share their learnings with vulnerable family members.
Don’t assume that people have more time for this now. In fact, many people are busier than they have ever been, and there are more demands on their attention than ever before. So, be conscious of how much of their time you take and work hard on your sessions to get them as concise and focussed as possible. For BP, for example, we’re keeping it to 30 very focussed minutes. What are the three things you want people to come away from this with? So consider context and make sure every point you make, every example you use, is entirely relevant to people right now.
Get the right backing
Finally, remember that endorsement from the top matters. A recorded message or an email from the CEO makes a difference to levels of engagement. And, while there are many demands on your CEO’s time right now, if we want to come out of lockdown as securely as possible, this is an area they cannot afford to ignore.