IT security in the crisis - why proper communication is essential! (Part 1)

The probability that a company will be affected by a crisis at least once is very close to 100%. Back in 2016, the two communications researchers Jörg Forthmann and Roland Heintze estimated in a study that the probability of a communications crisis has increased by 75%. And public crises don't just affect the leaders of the industry - in every situation of a company, whether leader, rising star or start-up - a crisis and inadequate communication can jeopardise the existence of the entire company.

What is a crisis?

The definition of a crisis, according to political scientist Manfred G. Schmidt, is "generally a climax or turning point of a dangerous conflict development in a natural or social system, which was preceded by a massive and problematic dysfunction over a certain period of time and which lasts for a shorter rather than longer period of time". This can be applied to companies. Crises are characterised by the following features:

There is a suspicion of and an occurrence of disruptions.
First slow, then rapid change in the assessment of the company's policy, which is perceived to be in conflict with public interests and protection goals.
There is public interest and turmoil.
There is damage to the company's public image that affects business operations.

A public interest refers to that of third parties in any form: employees, suppliers, customers, journalists and the specialised press, board members, partners, associates, shareholders and many more.

The causes of a crisis can be internal (endogenous) or external (exogenous) to the company.

Examples of exogenous crises include industry crises, such as a financial market crisis or a shortage of raw materials. The boundaries between the two forms are often unclear.

If there is a risky company situation, this can develop into a disaster if various exogenous factors are added:

Economic crises, disruptions, and accidents
Product misuse and sabotage
Product scandals involving competitor and upstream products
Pressure from interest groups
Rumours, slander and confusion
Kidnappings, terrorist attacks and wars

There may also be endogenous factors:

Incidents, disasters and accidents
Product scandals
Critical management and sales practices

If a tolerance threshold is then exceeded and an unusually negative level is reached for the company, then we speak of a crisis. As with a traffic light, these phases can be divided into:

Normal state
Critical o. latent phase
Negative state of emergency

However, not every crisis is the same. There are three basic types of crisis:

Accordingly, we often have to deal with eruptive crises in the field of information security, which means that public interest is immediately particularly high in this case: good and prepared crisis communication is essential. Eruptive crises can also quickly turn into periodic crises, which can recur again and again in the event of mismanagement and a lack of learning.

Although every crisis is different, it is possible to recognise patterns that every crisis exhibits. A crisis can be divided into three phases: Early phase, acute crisis phase and the latent crisis phase.

If you include the entire crisis management process, it can then be divided into five phases:

Prevention
Early detection
Containment
Recovery
Learnings

Preparing for crises

However, a crisis is not something that cannot be foreseen. Risk management has become particularly important in today's world: Every company has the task of knowing the risks in its own sector and preventing them. In many areas, there are even legal obligations, for example, corporations and listed stock corporations are obliged to operate a company-wide early warning system and publish statements on the risk structure in management reports.

However, it is important to note that despite prior crisis management, crises often cannot be prevented. And in this case, the importance of dovetailing crisis management and crisis communication becomes clear. In this way, the potential for escalation can be assessed before it occurs and prevention and crisis instruments can be developed and installed.

Phases of the crisis

3.1 Prevention

The three building blocks of the prevention phase are:

Crisis awareness
Issue-Management
Crisis awareness

The result of all three phases should be a crisis roadmap. This defines the steps to be taken in a crisis situation, but leaves enough room for action appropriate to the situation.

The crisis roadmap must include:

Regulation of responsibilities

Who informs whom? Who communicates with whom and how?

Emergency plans

They ensure the continuity of daily operations

Determine contact details

These include, for example The contact details of media, politicians, trade union representatives, multipliers, etc.

Communicatively, networks with contact persons should already be established here. It is a huge advantage to communicate with media representatives you already know. Especially in crisis situations, it is important to speak to trusted media outlets that report objectively and know the context. Short lines of communication are an advantage here.

Templates for press releases, emails, website texts and social media are also created during this phase. The social media team often plays a key role here, as it has to react in real time and acts as a direct information interface and can read out many communication directions in monitoring. The results of this monitoring can be used to take quick countermeasures.

3.2 Early detection

If possible, issue management should already be aligned with crisis management. Ideally, sources of danger are identified here before they can become an acute threat.

In early detection,

Crisis indicators must be recognised
Tolerance thresholds are defined
Early warnings are given

Media reporting usually begins at this stage. Enquiries are made - research is carried out. This is a particularly critical phase in crisis communication, as communication problems can often already be caught here. This prevents rumours, speculation and suspicions, but it is important to recognise what information is expected and, in the best case, to have already prepared it. Journalists can often already do this. If a company does not react at this stage, media representatives will look for third-party sources at an early stage: Customers, competitors, industry experts, insiders - and therefore information that can no longer be controlled by the player.

Communicating internally is just as important as communicating to the media. Depending on the size of the company, information spreads even more widely: employees who are not informed often consciously or unconsciously participate in speculation. Once these have been created, they are difficult to catch again, as a study by the University of Regina, Canada, from 2020 shows: News via social media spreads 6 times faster than news via traditional media. In most cases, the test subjects did not check the veracity of the news.

3.3 Containment

This is where the peak of reporting is reached. The so-called "news value" for the editorial offices is at its highest in this phase. At this stage at the latest, corporate communications should have a reliable overview of the background and details, have defined language rules and have solutions ready. This is necessary in order to be able to steer the reporting. Normally, the reporting should subside shortly afterwards.

If this is not or only marginally successful in this phase, then an escalation is likely, which is often the basis for reputational damage. It is important to bear in mind that the negative aspects of an incident often have the highest news value. So-called "free riders" will join the negative reporting and trigger a "shitstorm".

3.4 Recovery

This is where the crisis is followed up. Measures must be defined to eliminate the negative consequences. The aim is to restore normality and quickly return to day-to-day operations.

3.5 Learning

Critical questions must be asked here: What was done right, what was done wrong? How was communication organised? Which messages were received and which were not? The aim of this phase is to define and implement measures, actions and projects that show the public: "We have learnt" and that serve to adapt the prevention measures and emergency plans accordingly. Above all, it is important that this package of measures remains credible. No promises that are impractical to implement or are not implemented. Ideally, experience can be used to install an early warning system that records and expands the prevention measures.

Conclusion

Despite the early warning system, one thing must be clear: crises are unavoidable. But they also offer opportunities. Well-communicated crises can also bring an enormous gain in reputation and trust: Internally and externally. There are many cases of corporate crises from which companies have emerged stronger. However, poor crisis communication can also have the opposite effect.

This document is intended to help you prepare for crisis communication. It is intended to provide you with templates and best practice examples from past crises.

In addition, we would like to add a note: The legal department should always be involved in the preparation and monitoring of crisis communication. Information and communication content often also affect existing contracts or laws. This should always be checked before communicating externally.

It should also be borne in mind that crisis communication is very diverse. Every company, authority or institution, as well as every organisation or association, has different requirements. Therefore, the preparation of crisis communication should be started early. We will be happy to help you define the necessary measures and requirements for you.

In our second part, we look at the crisis manual and take a closer look at the do's and don't's during a crisis.