Cyber crisis: are wholesalers prepared?

Not a day goes by without talk of cyber crime and the latest attacks on retailers, distributors and logistics businesses. Are you prepared for a cyber crisis?

Tommy Gibbs, Head of Corporate Reputation, Cirkle

From Co-op to M&S and Harrods, some of the UK’s biggest businesses have been impacted, and as a result, a lot of suppliers and consumers across the country have been negatively affected.

While some of the big players have been making headlines, it’s also catapulted some lower profile businesses to instant fame. Last week a local Somerset-based business, Peter Green Chilled, was subject to a ransomware attack. As a result, they were locked out of their own systems, causing huge disruption, not only to their own operations, but to their customers too. They provide chilled logistics operations for the likes of Morrisons, Sainsbury’s, Tesco, Waitrose and the Co-Op, demonstrating the havoc cyber criminals can reap if they target different areas in the supply chain.

Peter Green Chilled were quick to reassure customers with clear and concise communications, outlining what areas had been impacted. But going from being a relatively unknown organisation in national media to suddenly having a spokesperson interviewed on national radio is quite a big jump, and it highlights the importance of being ready for anything when it comes to communications in the event of a cyber crisis. Arguably this is even more important to wholesale or supplier businesses, where you are a core part of a wider logistical chain, and you have both customers, suppliers and potentially end consumers to think of in your communications approach.

So, based on our experiences handling communications around cyber incidents, here are some points to get you started on how you can prepare yourself and your business.

Cyber-proof first

It goes without saying that having robust cyber security systems in place is a vital first step, with clear policies across your business on things like password security and management, and how to spot a cyber security incident. Not only is this imperative from a business continuity perspective, but if a breach or attack does take place, it will be helpful to refer to your strict procedures and policies, as this will demonstrate that you take cyber security very seriously. A good place to start is https://www.ncsc.gov.uk/ where there are handy guides on cyber security best practice for different types and sizes of businesses.

Words ready, crisis steady

The last thing you want to be doing if a cyber incident occurs is scrambling around trying to pull together materials and work through what you want to say while at the same time having to work at pace to resolve the operational elements of the incident.

At a basic level, communications preparation will involve working through scenarios and risks, considering the messaging you would want to deliver and how you would want to get it across. Having some guidance written and processes agreed in advance will mean you’re one step closer to issuing communications quickly when needed.

If the incident involves a breach of personal data, you already have a ticking time bomb for when communications need to be issued, as by law you must alert the Information Commissioner’s Office within 72 hours, and you need to alert any affected parties as soon as possible if it involves their data.

Every stakeholder matters

As you work through who has been directly affected, you need to make sure that you’re considering how you’ll approach all relevant stakeholders, as many will be indirectly impacted and will need reassurance. If you’re a business working as part of a wider supply chain you will likely have multiple impacted parties, so this preparation is even more crucial. Work through your key suppliers, customers, as well as their customers or end consumers so that you can help them to manage communications too. The last thing you want is a communications vacuum where customers will panic and worry that you aren’t fully in control, which can damage long term trust and reputation.

Arguably your most important audience is your employees and they can often be forgotten if you haven’t considered a full audience approach. Employees can be your best ambassadors and this is still the case in a crisis. Make sure they are kept up to date with the information they need and understand the messaging as they will be asked about it too, even if it’s just by friends and family.

Speak human, not hacker

As you keep your customers updated with the latest developments, make sure your communications are clear. Avoid any technical terms unless it’s imperative to explaining the situation, keep it simple and to the point and avoid sharing any further information than is strictly necessary or that might confuse the situation. Ultimately people want to know what has happened, how it will impact them and what are you doing about it. Make sure your language is approachable, human and be compassionate. Now is not the time for corporate lingo, but balance that with demonstrating that you are taking it seriously.

From backstage to breaking news

If your business isn’t used to dealing with media and likes to stay under the radar, it can be hard to rustle up a spokesperson from scratch. With that in mind, make sure you work through who could represent your business if a situation arises where you need to put forward someone for interview.

Having a face for a company will help to humanise your approach and maintain trust. Ideally the spokesperson should be a senior member of the business, who has the authority to talk through the steps they are taking to address the situation. Fortunately, preparing spokespeople is something that can be done well in advance through media and crisis training, where delegates can be put through their paces and build their confidence by learning techniques about how they can handle tricky questions and difficult scenarios.

There are of course more tips and guidance about how you can get ahead, but we’d urge businesses to audit their processes and make sure they have the right structures in place so that if a cyber issue kicks off, they are ready and able to handle the communications quickly, thereby helping reduce disruption and maintain trust. After all, wholesale is an industry that is based on relationships, and in a strong relationship, good and clear communication is key.

If you would like to find out more about how to prepare for a cyber security threat, please contact Tommy Gibbs, Head of Corporate Reputation at Cirkle, on tommy.gibbs@cirkle.com