In March 2018, the city of Atlanta suffered a ransomware attack on some of its systems, including online payments. The cybercriminals demanded more than $50,000 to unlock the encrypted information. While that amount wasn’t insurmountable for the city, it wasn’t the only cost. Beyond remediation costs — the city paid at least two firms to help resolve the issue — administrators had to direct resources to communicating with residents and employees and controlling the unfolding narrative.
Events like this one exemplify the necessity of crisis communications. Cyberattacks have stood in the headlines often in recent years, but the need to respond to these happenings has existed for some time. Some key differences include the means in which organizations can communicate and new issues they may face when attempting to control the story, such as citizen journalism’s proliferation via social media.
What constitutes crisis communications? What are some best practices for doing so, especially in today’s digital era? The means may have changed how public relations professionals contextualize these answers, but the underpinnings remain the same.
What counts as a crisis?
Before discussing how the responses happen, PR professionals must first understand what constitutes a crisis. The Institute for Public Relations gives three criteria:
- Financial loss: The city of Atlanta had two choices when facing its ransomware attack: pay the ransom or hire cybersecurity vendors to address the issue. In either case, the city would suffer an unexpected expense. Lawsuits, stalled operations and loss of market share also fall into this category.
- Public safety threats: Luckily, the Atlanta attack affected only customer-facing applications. However, when events target critical systems, including water and power infrastructure, the public could be at risk. The same is true when events lead to injuries, such as industrial accidents.
- Reputation damage: This risk arises regardless of what kind of crisis occurs. Organizations can lose trust from customers, employees and shareholders.
These criteria also depend on each other. For instance, BP’s reputational loss due to the Deepwater Horizon oil spill prompted consumer boycotts. An organization that size didn’t see much of an effect from those actions, but similar reaction could prove costly for smaller businesses.
How do organizations respond?
Some might assume that crisis communication tips include only reactionary items, but much of the work begins before an event happens. In this pre-crisis phase, organizations create the processes to manage risk and have a plan in place to respond efficiently should a crisis happen.
When organizations prepare for a possible crisis, they spend less time scrambling. Here are a few pre-crisis steps:
- Risk assessment: Identify areas that could create a crisis. Other municipalities could suffer the same fate as the city of Atlanta. If they expect ransomware attacks and other risk vectors, they can better prepare communications for more possibilities
- Crisis management plan: With a list of risks, organizations can develop response strategies for each scenario. These plans can preassign roles and define ideal steps. The Department of Homeland Security explained that this preparation considers audiences, too. This group includes news media, suppliers, government regulators, customers and more.
- Key personnel: Who sends press releases? Who monitors social media? Organizations can designate a team of employees who coordinate the response. Human resources, public relations and legal staff are among typical members. Designated spokespersons act as the public face for the plan and its communications.
Following the city of Atlanta ransomware attack, news media heard from the city’s mayor, Keisha Lance Bottoms, chief operating officer, Richard Cox, and deputy chief information officer, Daphne Rackley. These crisis communications include cautions for residents, such as monitoring personal financial statements, and ongoing updates about what the FBI and DHS investigation revealed.
This is just one crisis communications example, and others have the same underpinnings. Writing for Public Relations Tactics, Mark Bernheimer, founder of MediaWorks Resource Group and former national CNN correspondent, said responses typically need to include three broad categories:
- What happened
- What caused it
- How the organization plans to prevent repeat incidents
The IPR noted that company websites, mass notification systems and company intranet are typical channels for responses. Social media not only creates a vehicle to present information, but it also allows organizations to respond to questions in real time. Crisis management teams can even use social media to monitor what others say about the event and pivot their response communications to account for public sentiment and rumors.
Bernheimer and the IPR highlighted the importance of gathering accurate information before sending out any communications. All members of the crisis management team should have these uniform details to ensure consistent messaging. In an interview with Forbes Agency Council, Ashley Walters of Empower MediaMarketing explained that organizations should be transparent if they don’t have certain information yet rather than saying “no comment.” City of Atlanta spokespeople took this approach while they were still investigating the attack and before they decided if a paying the ransom was their best option.
Transparency also helps with maintaining sympathy for the victims in all communications. The organization has much to lose and should take responsibility, but it can lessen its reputational damage by outlining how it intends to remediate the issue for affected individuals and communities.
How can you learn more about crisis communications?
These example strategies are just a few of the types of plans that go into crisis communications for events like the city of Atlanta ransomware attack. If you want to be part of the teams that manage these responses, you can expand your expertise with an online Master’s in Strategic Public Relations from the George Washington University.
With a course devoted to issues management crisis communications — among several other offerings that can broaden your practical PR knowledge — this program can equip you to help usher your organization through its next crisis. For more information, contact an enrollment advisor today.
A Cyberattack Hobbles Atlanta, and Security Experts Shudder
The FBI is investigating a ransomware attack on the city of Atlanta
Atlanta’s Ransomware Cleanup Costs Hit $2.6 Million
Crisis Management and Communications
Crisis Communications Plan
The Predictable Part of a Crisis
13 Golden Rules Of PR Crisis Management