The ransomware attack on the City of Oakland evoked several discussions, from the lax security of public administration bodies to the need of ransom negotiation.
In between the firefighting, analysis, and criticism, hardly anyone noticed a job well done: effective stakeholder communication during a crisis.
Since February 8, 2023, when the IT systems of the City of Oakland failed, the civic body has been consistent in updating the public on the incident.
Admitting early on that it was a ransomware attack, rather than going for cliché descriptions that progress from “IT systems failure” or “cyber incidents”, the City of Oakland’s response and communication efforts in the aftermath was effective and transparent.
The City of Oakland and effective stakeholder communication during crisis
Apart from taking immediate action to contain the attack despite the severity, the City of Oakland established a dedicated website to keep residents consistently informed about the incident, mitigation steps, and the status of affected services.
The website has the entire timeline of the incident, with timely updates on each recovery step and guidance on how to effectively use the limping infrastructure and its limited facilities.
City officials provided regular updates on the progress of recovery efforts and steps taken to improve cybersecurity measures.
They also worked closely with law enforcement and cybersecurity experts to ensure the appropriate actions were taken to mitigate the impact of the attack.
One of the most effective communication efforts of the City of Oakland was the establishment of a 24-hour hotline to provide support and guidance to affected individuals.
The hotline allowed residents to report suspicious activity and receive assistance in recovering their data.
In addition, the City of Oakland reached out to the community through social media platforms and various local news outlets.
They encouraged residents to stay vigilant against potential phishing attacks and other cyber threats and shared helpful resources to ensure the community could stay informed.
The mindfulness and timeliness of stakeholder communication during crisis was in stark contrast with the regular tactic of organizations to make a vague public announcement, or non-accessible regulatory disclosures in the case of businesses.
Effective stakeholder communication during crisis: Ransomware attacks
Take the case of Indian multinational pharmaceutical company Sun Pharmaceutical Industries. BlackCat/ALPHV ransomware gang today posted about further sale of the company data.
The company disclosed the cyber attack on March 2, but dismissed that as an “information security incident”. For the uninitiated, an information security incident could be coffee spilling over a crucial server.
Funnily, the statement dismissed that possibility too. “The incident has not impacted our core systems and operations,” the statement said.
Those in the industry understood better when BlackCat/ALPHV ransomware gang listed the company as a victim on its leak site on March 24. It was a ransomware attack, and initial negotiations failed.
Two days later, the company made another disclosure at the Bombay Stock Exchange. “A ransomware group has claimed responsibility for this incident,” said the statement that did not mention ransomware anywhere else.
The disclosure, which was more of a profit warning for the markets than crisis communication for stakeholders, had two contradictory statements
“The Company promptly took steps to contain and remediate the impact of the IT security incident, including employing containment and eradication protocols to mitigate the threat and additional measures to ensure the integrity of its systems infrastructure and data,” it said.
“The Company currently believes that the incident’s effect on its IT systems includes a breach of certain file systems and the theft of certain company data and personal data,” it also added.
Logically, a company that contained and remediated the impact of the “IT security incident” should not be speaking about “breach of certain file systems” and “theft of certain company data and personal data”.
The term “personal data” stands out as the vaguest of all. No explanation on what “personal data” was: it could be the photo of one of the factory’s nightguard, or the credit card details of a consumer and the medicines she purchased with it.
In all fairness, attributing a cyber attack is tricky business. No one wants to admit that their systems fell for a ransomware attack. Attribution becomes easier when the reason is established and there are several parties affected, as we saw when Cl0p ransomware group tapped the GoAnywhere vulnerability.
Fortra, a data transfer software provider, discovered on January 30, 2023, that a vulnerability in its software, GoAnywhere, had been exploited by unauthorized parties.
Fortra released patches for the vulnerability on February 7, but during the five-day gap, hackers including Clop ransomware gang had already caused significant damage across the world.
Every affected firm promptly blamed GoAnywhere for the attack.
However, a blunt and honest statement such as “We’ve been breached and lost data” is the last thing an organization should do in stakeholder communication during crisis, advise corporate communication advisors.
Stakeholders: Who are they and why are they vulnerable?
When businesses face ransomware attacks, the most practical solution to recover data and minimize a stressful situation is to pay the ransom.
However, paying the ransom, which may cost millions, is easier said than done.
In case a ransom cannot be paid due to various business reasons, such as possible sanctions, organizations should prepare for the possible avenues that attackers may use to inflict significant harm to their reputation.
Double extortion is a common theme of current ransomware attacks, where a threat actor not only encrypts a company’s files and demands ransom but also threatens to expose sensitive data that has been stolen from the victim’s environment.
“An evolution of the double extortion attack is particularly sinister: direct outreach to a victim company’s stakeholders,” noted a report by Harvard Law School Forum on Corporate Governance.
“This new strategy forces organizations, already under tremendous pressure, to act quickly to get ahead of the messaging around an attack in an attempt to reduce reputational risk and maintain stakeholder trust.”
“Whether it’s a drop in stock price, an economic downturn or an isolated issue impacting your organization, timely communication with key stakeholders is paramount in making sure that the issue is proactively contextualized and fact-based without a false narrative,” consultancy firm Apco WorldWide pointed out.
Identifying stakeholder groups goes a long way in getting stakeholder communication during crisis right, said the Apco report. Once you have a clear idea, the following steps help initiate a timely action:
- Identify and analyze stakeholder groups using social media monitoring tools and existing relationships to understand connections, expectations, risks, and opportunities.
- Map relationship owners to key stakeholders for outreach to ensure stakeholders hear from the right leaders within the organization.
- Leverage appropriate communication channels such as direct outreach, town hall meetings, email alerts, or social platforms to amplify messages.
- Develop customized, yet consistent messaging for each stakeholder group to ensure a cohesive narrative and use message testing through focus groups and data analytics to deliver messages that resonate with key audiences.
- Temper responses depending on the issue/crisis severity and evaluate the appropriate spokespersons to put forth when communicating with stakeholders.
- Train messengers to communicate effectively both in direct communication settings and potentially in televised media interviews.
Misinformation can spread rapidly and alter the narrative, so correcting it as soon as possible is crucial, the report stressed.
Stakeholder communication during crisis: How to put it right
When a stakeholder communication plan is thoughtfully planned and meticulously executed, it can help organizations overcome potential issues and come back stronger by retaining trust and support from key stakeholders.
“Prepared companies project confidence in moments of crisis. They have clarity and consistency of message. For instance, when companies are faced with a cybersecurity issue, they often ask, What should we call it? An outage? A cybersecurity incident? A ransomware attack?,” wrote FTI Cybersecurity & Data Privacy Communications expert Jamie Singer.
There are pros and cons to each type of response, and the organization must weight them well before finalizing their plans for stakeholder communication during crisis.
“If you’re fully transparent very early on about a ransomware attack, for instance, people might be alarmed and press, ‘Did you pay the ransom? And if so, why?’ These are tricky questions to respond to when investigations are just kicking off,” Singer pointed out.
“On the flip side, if your systems are down for a week due to ransomware and you continue to call the event an ‘outage,’ people will be skeptical, and you risk eroding trust,” he added.
According to Singer, the most important step in crisis communication happens before the incident.
By engaging in executive-level conversations early on and defining critical aspects such as terminology, transparency, and risk tolerance, businesses can establish a framework for clear, consistent, and timely communication when it’s most needed,” he explained.
A plan of action with a clear chain of command also saves crucial time in firefighting.
Situations still arise where businesses are slow to respond because they require 20 to 30 people within the organization to review a holding statement or an urgent customer communication, noted Singer.
“Streamline your messaging review and approval process and team on the front end before you have a major issue.”
As shown so effectively by the City of Oakland, it’s crucial to maintain frequent and consistent communication with stakeholders to provide reassurance, but it’s equally important to avoid unnecessary or repetitive communication if there is no new information to share.
It’s essential to allow the facts and investigation efforts to dictate the messaging to ensure accuracy and credibility. Equally important is the channel of communication.
Stakeholder communication during crisis: How to share it right
Cyber attacks such as ransomware often take down communication channels, like we witnessed in the City of Oakland.
Ransomware can compromise key platforms and resources, including customer databases, resource planning tools, email and digital address books, and proprietary software.
This can lead to a loss of intellectual property and personally identifiable information, and compromise the effectiveness of emergency management programs.
They also pose substantial reputational risks for organizations that do not demonstrate transparency, accountability, and competency when responding to an incident, warned an advisory by American public relations and marketing consultancy firm Edelman.
“As with any business disruption event, communicating with key stakeholders – whether customers, employees, or business partners – is essential to maintaining trust and protecting an organization’s reputation,” the report said.
“But the reality is that, during a ransomware attack, an organization may not have access to its traditional suite of tools, platforms, and resources to support standard communications.”
To address this issue, Edelman suggested several practical solutions for organizations to consider.
These include using third-party marketing platforms to distribute mass messages to external stakeholders, using secure group messaging apps for internal coordination, and leveraging an organization’s website and social media channels to push out updates to external stakeholders.
In addition, offline forums like townhalls and conference calls, supported by messaging distributed to line managers, can be essential for communicating with employees.
“While these tactical solutions can help mitigate impacts, ultimately, the organizations who communicate most effectively during a ransomware attack – and best maintain the trust of key stakeholders – are those that have already contemplated, planned, and identified contingency measures for these types of scenarios,” the report pointed out.
“Nothing instills greater confidence in an organization than being able to convey it is handling an incident transparently, competently, and efficiently. Conversely, nothing does greater damage to a company’s reputation than being perceived as opaque, in disarray, and unprepared when responding to a crisis.”