How business owners can manage communications during a cyberattack

Many small business owners feel they are too small to become the victim of a cybercrime, but the reality is 43% of all cybercrimes in New Zealand are targeted at small businesses*.

Becoming a victim of a cyberattack can break the trust your customers and partners have built with your business, and they may feel hesitant to continue trading with you. The way you communicate following cyber incident can be a key part of minimising the damage done to your business. In this article we cover how to respond and manage communications during a cyberattack if your business finds itself to be the latest victim.

Immediate cyber security incident response steps

As soon as you realise your business has become the victim of a cybercrime you need to report it to the New Zealand National Cyber Security Centre as soon as possible. They can help you stop an incident from getting worse, understand what happened, and advise on the next steps.

If you have Cyber Liability insurance, you also need to notify your insurer as soon as possible. If you purchased your cover through BizCover you can learn how to contact your insurer and see what information they may need here.

Who else needs to hear from you?

Once you have taken the necessary steps to secure the threat, you will likely need to begin notifying people who may have been affected by the cyberattack. This can include your staff, suppliers, partners, and customers. Depending on the attack their sensitive data such as bank details, contact information, and account credentials may have been accessed.

What to say

This can be a tricky situation to navigate as you don’t want to break the trust and reputation you have worked so hard to build. Let them know:

• The type of attack that occurred, when it happened, and what information may have been accessed.
• What to look out for (suspicious emails or phone calls, unexpected account activity or transactions, etc)
• Resources they can use via the National Cyber Security Centre
• When to expect further updates from you

What not to say

What you don’t say is just as important[MP1]  as what you do say, and this doesn’t mean hiding information to protect your reputation. Here’s what not to say:

• Speculation on the cause or severity of the incident before you know for sure
• Assumptions about timelines or impact of the interruptions to business
• Specific blame on third parties until formal investigations have been completed
• Promises about resolutions or compensation without talking to the NCSC or your insurer

Preparing before an incident happens

If this is the section of the article you are here for, well done! The best thing you can do is be prepared to react before a cyber incident. This puts you ahead of more than half of NZ small businesses who have admitted they are not prepared to respond to a cyber security breach*. Here’s a few things you may want to put into place:

• Draft some notification templates for common scenarios (data breach, ransomware, system outage).
• Protect your business with Cyber Liability insurance to cover costs such as breaches and extortion, forensic investigation, data recovery, business interruption, crisis management, and legal fees.  

To find out more about Cyber insurance options, and to compare quotes visit bizcover.co.nz.

*NCSC – SME Cyber Security Behaviour Tracker, June 2024