Cybersecurity and InfoSec aren’t for PRs to worry about… are they?
“Cybersecurity? Eh? That’s not a PR thing is it? That’s for the geeks and techies” was how one person spoke to me about learning #PRFest is putting on a session on Cybersecurity.
As the speaker for that session you won’t be shocked to hear I think they are completely wrong – but understand where they are coming from. After all, in the early 2000s, lots of PRs dismissed blogs and websites, then they dismissed SEO, then they dismissed social media… all things that are now key parts of any communicator’s toolbox. Cybersecurity is one of those things that – in various ways – you’ll see all PRs need to get to grips with in coming years.
The role for public relations in cybersecurity
Now, no-one is suggesting that the CIPR or PRCA start adding CPD points to people learning the basics of hacking (yet) but at every level of PR this is an issue. Consider the following issues for starting points…
People are your problem
The largest weakness in most firms for a breach is through people – either unhappy staff or people who don’t think security issues matter to them because they can’t see the harm in plugging a USB stick they found on a desk, in the street or from an event (in regular tests, 50% of people will pick up a USB stick that they have no idea of what’s on it and plug it into a machine). And are you sure that ‘John from IT’ who just called you is really John from IT? And who was that person who walked in behind you when you used your staff pass to open the secure doors?
It’s the role of internal comms to make sure people are aware of these issues – and the role of the senior communicators to make sure staff are happy and if not, the board know why and what can be done about it.
Reputation is all
At a reputational level, if people think your company is poor – either ethically or in some other way – then people are more likely to try and breach your systems. Again, it’s the role of the PR/communicator to ensure the company is not only being the best company it can be, but that the external world knows about that.
There’s also the minor issue of crisis comms…
At the most immediate level, there’s the issue of crisis comms if your company’s network is hacked or the website is brought down. Who has the power to do what? Does the comms director have the power to pull the website down the moment it is hacked? Who can authorise completely shutting down an internal hacked network (hint: quite often it isn’t the CEO) and at a more fundamental level, what plans are in place for the varying levels of scenarios that could happen – and have they been tested?
And what do you tell people? PwC’s cybersecurity simulator Game of Threats gives people an option to inform the public the moment they detect a breach. The only problem is that if you take that option things get worse because then more hackers and wannabe hackers pile in to try and access the network.
So when is the right time and what message do you put out? In addition to this, under imminent GDPR regulations there will be certain timescales you need to meet – or be heavily fined.
And what about the PR firms themselves?
This isn’t just an issue for other companies. PR firms – from one-person operations to the multinationals – deal daily with a lot of trade secrets and confidential information, lots of people come and go from their offices, accessing networks. How secure are those networks? Is there a competitive advantage for PR firms to point out that their security is better than their rivals? Can they prove it? Equally, just as social media crisis training is now provided by firms, is anyone offering cybersecurity crisis training or simulations?
PR at the heart of cybersecurity
Ultimately, nearly everything involving infosec or cybersecurity involves public relations. From proactive measures like informed, well-trained staff, to how boastful you are of your security (including any potential security bounties a company offers), how you train for a breach, what response plans and backups you have in place, how to reassure people that you can be trusted with their data, communication is at the heart of it all.
It’s a big topic but as with all PR matters, good planning and thinking can make a big difference.
Guest blog by PwC’s Craig McGill @craigmcgill