Last week a ransomware attack occurred affecting over 75,000 computers in 99 countries. The attack affected government agencies, schools, hospitals, and corporations. The corporations affected included FedEx, Telecoms, and Renault. Among the countries involved were China, the UK, Sweden, Russia, Indonesia, the U.S., Portugal, and Spain. Ransomware is a type of malware that demands a ransom be paid or a computer system will be crippled. This particular attack has been called WannaCry (and a few other names). It is a worm that infects computers and not the opening of attachments. WannaCry illustrates the cyber crisis risks faced by organizations.
Cyber attacks are complicated form of crisis for crisis managers. Even a few years ago, a cyber attack would have been considered a victim crisis—the organization and its stakeholders suffer damage caused by an external agent. Organizations were seen as having little control over the crisis, hence, attributions of crisis responsibility were low (See Situational Crisis Communication Theory for more information about the relevance of crisis responsibility’s importance). The Target data breech in 2014 was a significant marker in the shift in stakeholder perceptions of cyber attack crises. Public opinion data then showed people now blamed the organizations for the cyber attacks. Stakeholders now felt organizations were not doing enough to protect their data from hackers. The fairness of this new attitude can be questioned. Target, for example, actually had exceeded requirements for cyber security. Hackers simply ae ahead of the software used in cyber security. New programs are being developed regularly that create new cyber risks for organizations and individuals. The WannaCry attack was dubbed unprecedented in size by international law enforcement yet the individual organizations are likely to take the blame for any problems that arise from the crisis. For instance, the Nissan facility in Sunderland in the U.K. was infected but production was not interrupted. It is possible crisis responsibility will be low for WannaCry because of the scale and the effects being felt primarily by the organization. Cyber attacks that compromise stakeholder data placing them at risk are want seem to draw attributions of crisis responsibility. The point is that the communication demands for cyber attacks have changed and become more complicated. Crisis communication research focusing on cyber attacks is just emerging and needs more attention to help unpack the specific communicative demands from this crisis type. What we do know suggests that cyber attacks should be treated as preventable and not victim crises even though the true ability to prevent the cyber attacks is questionable. It is easy to see have managers would be reluctant to treat a cyber attack as a preventable crises but perception and not facts frequently drive crises.
Questions to Consider
1. How fair is it to organizations to assume cyber attacks are preventable?
2. How effective might it be to tell stakeholders the level of security measures in place before a cyber attack occurred? Why might this help or not?