Cyber risks are a harsh reality of doing business. Whether caused through malicious intent or through an innocent employee's actions, these risks have the potential to significantly impact your business.
Whilst effective preventative and detective security controls are essential, a well-defined communication plan will make a world of difference in mitigating damage during and after a cyberattack.
Effective communication during a cyberattack ensures transparency with internal and external stakeholders, minimise panic, and could be the difference between your company appearing in the news for a day and being headline news for weeks/months to come.
Audiences
There are a variety of audiences that need to be considered when developing your communications plan. The audiences may include:
Internal Stakeholders: Security incidents are not like IT outages, and should not be broadcast to the whole organisation. However, ensuring relevant employees remain informed builds trust and promotes cooperation during the incident.
External Stakeholders: This group will include investors, partners, and customers, amongst others. Ensuring these stakeholders are kept informed will demonstrate responsible leadership and help to minimise reputational damage
Regulators: Any incident involving personal data will trigger mandatory reporting requirements. Depending on your industry, there may be other regulations with mandatory reporting requirements. These mandatory reporting requirements will carry fines or sanctions, should you not meet them
Law Enforcement Authorities: Engaging with law enforcement and relevant authorities can help your incident response, through shared intelligence and capabilities
Communication Plan Structure: A Roadmap for Response
The following a structured approach will ensure the development and operation of an effective communications plan:
Communication Teams: Identify teams responsible for drafting communications, and those responsible for delivering them, and align this with the identified audiences (staff, customers, media, etc.)
Communication Channels: One size does not fit all, so you will need to identify the right communication channels for each audience. Consider whether this should be internal emails, a website, press releases, social media updates, or town halls
Communication Templates: Define and maintain approved templates for various scenarios. This will ensure communications are effective during a cyberattack. No-one has time to draft these on the fly during an incident
Communication Triggers: Determine the severity levels of an attack that trigger specific communication protocols. For instance, a minor data breach might only require internal communication, whilst a large-scale attack will likely necessitate informing regulators and customers - see below
Post-Incident Review and Lessons Learned: Debrief and improve your communication plan based on lessons learned from the incident. Nothing is ever perfect, but the plan has to be effective. Identify what worked well and what needs revision.
Communication Triggers: Examples
Low-Level Attack: Phishing attempt, malware infection on a single device
Communication: Internal notification to IT and potentially affected teams
Mid-Level Attack: Data breach affecting a limited number of records
Communication: Internal notification, communication with affected individuals, potential regulatory notification
High-Level Attack: Major data breach, disruption of critical systems
Communication: Internal notification, communication with all stakeholders (customers, media, investors), regulatory notification, potential law enforcement involvement
Effective Communication During a Cyberattack
Remember: Transparency and timeliness are key. Clear communication will foster trust and support collaboration. Having a well-defined communication plan in place, that is practiced and updated, will minimise any disruption caused by a cyberattack and position your teams for a more successful recovery.
Comments