Creating a Human Impact Cyberattack Response Plan

Terri Howard


June 26, 2017

As cyberattacks become more frequent, companies have worked to expand their understanding of cybercrime risk and prevention among internal departments. While most organizations have an information security plan in place to defend their data and infrastructure, they often are not as prepared to deal with the human consequences of an attack.

The wake of a cyberattack can be stressful for victims, especially without advanced warning or time to prepare. It can affect victims at three levels:

  • Corporations. When an organization’s sensitive information is hacked, it ends up facing a lot of scrutiny. How could you let this happen? Why weren’t you prepared for this? What are you going to do to fix this? The perception of the company image will take a negative hit.

  • Employees. Employees are affected on a personal level as the first line of response for customers after an attack. Updating the workforce about the planned response and support that can be communicated to customers is imperative for the organization to regain trust and build a positive image.

  • Consumers. Consumers are often the hardest hit during an incident. Their sensitive information has been stolen, usually under circumstances completely beyond their control or knowledge, making it a traumatic experience.

Companies must be ready to respond to and support each of the audiences in the days, weeks and months after a cyberattack. This involves a basic four-step approach for responding to a cybercrime:

  1. Stop the activity

  2. Report the crime

  3. Repair the damage

  4. Prepare for re-victimization

The majority of human impact response will occur in steps three and four—managing the aftermath once the crime has been reported. A good plan will outline a process for quickly assessing the scope of an attack’s potential human impact and detail how the company will assist its customers and employees in the following ways:

Call center support. This might include an on- or off-site call center staffed by a crisis management provider, staff counselors, critical incident responders, and/or the HR department. Many organizations do not have the resources internally to support every victim of a cyberattack, so establishing relationships with outside vendors for support beforehand is extremely important, especially for the onslaught of calls that will occur within the first 48 hours after news of the data breach goes public.

Free credit monitoring. Instruct victims to place a fraud alert with one of the three credit reporting agencies. This blocks all new credit requests across all three agencies. Fraud alerts are in effect for 90 days and renewable for up to seven years. U.S. consumers are entitled to one free credit report per year from each of the three reporting agencies. When reporting fraud to the credit bureaus, the victim is entitled to one additional free credit report. It is highly recommended that victims request one report every 3-4 months rather than all three at once. This gives the victim the opportunity to check his or her credit report multiple times per year.

In addition to notifying the credit bureaus, victims should file a local police report and a complaint with the Federal Trade Commission by calling 877-ID-THEFT.

On-site or virtual counseling and support for families to mitigate the effects of trauma post-attack. It is not uncommon for victims to run the gauntlet of anger, guilt, isolation and vulnerability after a cyberattack. And no wonder. An employee or consumer whose data is stolen can spend years enduring the consequences. Remember, victims of cybercrime do not just lose a credit card or account passwords; they lose the sense of privacy and control over multiple aspects of their lives—from medical histories to social security numbers and identities—for an unknowable duration

The experience can lead to blaming oneself (“Am I not taking enough precautions?”, “Do I provide too much information on the web?”), and others, be they service providers or employers (“How could something like this happen to me, your client/employee?”, “What will you do to protect me and my family from the people who stole our information?”).

An organization must act as an advocate for the victim. Remember, this is not the victim’s fault. Affected companies should:

  1. Listen — You may be the first person to listen to what the victim is experiencing and feeling.

  2. Keep an open mind — A lot of well-meaning people have a tendency to blame the victim, when it is not the fault of the victim.

  3. Normalize the consumer’s feelings — Explain that many cybercrime victims feel this way.

Continuity plans to maintain operational business needs and promises. As with any crisis scenario, potential challenges will likely arise in the moment. In the case of a cybercrime—especially one on a news-attention-grabbing scale—these might include the need to manage media leaks and press; the need to communicate relevant information in a timely manner, with limited or no use of technology; and the need to quickly address an influx of questions and concerns from customers and employees—both current and former.

Like any crisis plan, a cyberattack response plan is only as good as the training behind it. Employees should routinely conduct drills on their roles and responsibilities so they feel comfortable and competent in responding during an actual attack. This is true for IT as well as for communications, HR, customer relations and other departments that will intersect with affected audiences.

Protocols for managing consumer, employee and family inquiries. The follow-up in the aftermath of a cyberbreach can be overwhelming for the victim. It also can be overwhelming for company staff. An employer-sponsored Employee Assistance Program (EAP) can help employees in two ways. In the case of an internal breach, EAP counselors can connect staff to resources and guide them through the sense of loss and confusion by providing “boots on the ground” support. In an external or customer-facing breach, the employees themselves may need support after dealing with frustrated and frightened customers. An EAP can offer that extra outlet of calm and support.

Ongoing updates and communication (internal and external). The importance of ongoing updates and communication cannot be stressed enough. In a culture reliant on technology for a steady flow of information, separation from a company’s network in a time of crisis can be disorienting and chaotic. It is difficult to send an all-customer email when the corporate email system is down or vulnerable. Instead, proactively establish communication protocols that rely on phone, text or face-to-face interactions

The high risk of re-victimization—when cybercriminals repeatedly use a victim’s stolen information—underscores the importance of reaching back out to assess victim well-being in the months or years after the original attack. This includes making outbound calls or distributing emails with ongoing advice and resources.

Attacks against information technology infrastructure have a devastating impact for businesses of any size. The operational repercussions extend beyond the organization's walls to vendors, customers, partners and prospects. Outlining a comprehensive human impact response plan will help companies stay resilient and better manage the potential reputational fallout of a large-scale cybercrime.
Terri Howard is the senior director for FEI Behavioral Health, an international EAP and crisis management company.