Crisis communication during an incident
No matter how good your security is sometime incidents can occur that can have a significant impact to your customers, employees, stakeholders and business reputation.
Effective and timely communications to internal and external stakeholders during a security incident is critical in maintaining trust and transparency and will go a long way to mitigating the risk of losing customers, breaching regulations and experiencing a loss of trust in the market.
Developing a crisis communications plan to use in the event of an incident will allow your business to respond swiftly and provide the right information to the right stakeholders at the right time.
What Should a Crisis Communications Plan Include?
A Crisis Communications plan should include the following items:
- When an event should be considered a crisis
- Who should be told about the event and what they need to know
- When should each stakeholder group be informed
- What communications should be provided and who needs to sign off before the communication is delivered.
- Which channels should stakeholders notified.
Download our Crisis Communications Planner to get:
- A crisis communication planner template
- Tables to map our your key stakeholders and communication requirements
- Free templates for Internal Notifications and Data Breach Notifications.
- Process for how to identify pre-requisites for reach type of communication.
- List of questions Media may ask you.
How to be prepared
No business wants to be the victim of a significant cyber security event or data breach but in the unfortunate event it does occur all businesses want to be prepared. Once of the best ways to prepare is to have three documents in place:
- A clear guide to what is considered a Crisis
- A Matrix showing who needs to be informed of what and when. Third Party support during an Incident May include Legal advisors, Public relations firms, Crisis communication consultants and Third party service providers such as forensic teams.
- Draft communication templates which incident response teams can complete to quickly prepare any necessary communications. Formal notifications should be developed for the Board and management team, customers, Regulatory agencies, Affected people and Employees.
What is a crisis and what type of events are planned for?
A crisis that would require communication to stakeholders may include a variety of incident types such as:
Physical Breach
A physical breach involves the physical theft of documents or equipment containing cardholder account data such as cardholder receipts, files, PCs, and POS systems. Typically this includes a loss or theft of:
- Laptop and Desktop Computers
- External hard drives
- Any other technologies that may contain cardholder data such as Point-of-Sale Equipment (Standalone Dial-Up Terminals)
- Any other physical asset that may contain cardholder data, including hard-copy bills, faxes, credit card receipts, or blank checks
- Physical breach of Data Centre.
Electronic Breach
An electronic breach is an unauthorised access or deliberate attack on a system or network environment where cardholder data is processed, stored, or transmitted. This can be the result of acquiring access via web servers or websites to a system’s vulnerabilities through application-level attacks. Typically this includes a loss or theft of:
- Intellectual Property
- Customer or Employee Personal Information
- Sensitive Health Information
- Transactions or Bank Account Details
Roles and Responsibilities
It is important that you have a clear guide of who is responsible for all aspects of an incident.
It is critical that roles, names and contact details be regularly reviewed and updated as required.
Below are some of the possible roles you may need to define in your incident response plan, depending on the size of your organisation.
Key people who will be called on to be a part of the incident response team should be aware of their role and have been provided necessary training to ensure they know what to do when called upon to be a part of the team.
- Employees – typically responsible for reporting any actual, potential or suspected breaches.
- Incident Owner – A chief decision maker for during the incident.
- Incident Response or Crisis Response Team – Group of specific people with required skills to manage all aspects of an incident from data collection, system investigation and communications. The team may also include outside support services such as forensic specialists or legal advisors.
- Incident Response or Crisis Response Team Manager – A person responsible for assembling the Crisis Management Team and coordinating how the incident is communicated; both internally to employees and externally to the media, affected customers, partner organisations and other external stakeholders.
- Technical System Owners and Experts – These stakeholders may be provide technical resources and expert assistance in relation to specific systems and may also provide resources to assist maintain the affected system. Where multiple systems are affected, there may be a representative for each system.
- Management and Executives - Key management roles will form a key part of either signing off specific actions or communications and all will need to be informed so they can mange stakeholder questions appropriately.
Other Key stakeholders who may be involved in managing an incident
- Internet Service Providers (ISP) – Your business may need assistance from your ISP in blocking a major network- based attack or tracing its origin.
- Software Vendors - Incident handlers may want to speak to a software vendor about suspicious activity. This contact could include questions regarding the significance of certain log entries or known false positives for certain intrusion detection signatures, where minimal information regarding the incident may need to be revealed
- Customers - When the confidential, integrity or availability of customers data or service is impacted and a business cannot meet it promised SLA’s or there has been a data breach which impacts customers personal or sensitive information ensuring they are a core part of your stakeholder groups will be critical.
- Regulators – Depending on the type of event and the information or services that have been impacted a company may need to follow specific reporting requirements to inform their regulators.
- Law Enforcement - The incident response team should become acquainted with its various law enforcement representatives before an incident occurs to discuss conditions under which incidents should be reported to them, how the reporting should be performed, what evidence should be collected, and how it should be collected.
- Owners of Attacking Addresses - If attacks are originating from an external organisation’s IP address space, incident handlers may want to talk to the designated security contacts for the organization to alert them to the activity or to ask them to collect evidence. It is highly recommended to coordinate such communications with their local Cyber Emergency repsonse Team a such as AUSCERT or US-CERT..
- Other Incident Response Teams - . A company may experience an incident that is similar to ones handled by other teams; proactively sharing information can facilitate more effective and efficient incident handling (e.g., providing advance warning, increasing preparedness, developing situational awareness).
- Professional Services firms such as Lawyers, Public Relations and Forensic Expert - These roles will play a critical part in specific response and recovery strategies.
Communication Approvals and Timing
Communications should be carefully planned and timed correctly.
Timings for each stakeholder group should be included in your plan.
Which third parties should be involved in reviewing and approving communications should be clearly set out and also be aware that time will be of a critical nature if an incident were to occur.
Some the types of communications you may need include:
- Initial incident report to Management
- Incident report to Executives / Board
- Communications to Customers
- Communications to Employees
- Communications to Regulator e.g. Notifiable Data Breach Notification
- Media Release
Download our Crisis Communications Planner to understand how to identify pre-requisites for reach type of communication.
Communication Types
Formal Communications
- Formal notification takes many forms, and what you communicate is different to each audience.
- Your company may decide to notify stakeholders and customers through a PR firm with a formal press release and through social media. These “broad messages” should be carefully crafted to communicate to your stakeholders you have the incident well in hand and are on the road to recovery.
- Breach notification letters to the regulatory agencies and to your victims are different than the notices to the public. Your legal counsel will guide you on who and when these notices should be sent.
- Notification to your employees should also be carefully drafted, since this might be an opportunity to educate them on cyber best practices.
- In preparing the formal notice your team may include information on what you are going to do to recover and include some details in the notice - such as your company’s improvements or recommendations from a lessons learned perspective. As an example, if you found that the company’s system was compromised via a phishing attack, you could provide examples of the email and the training you have conducted as well as the fact you reported the event to relevant privacy of cyber security agencies.
On-going communications.
- When developing the Crisis Communications Plan consider developing communication strategies for 30/60/90 day post event.
- Notifying your stakeholders and customers of on-going actions will go a long way in confidence building.
- Additionally, you may need to develop and deploy an educational campaign to your employees.
Communication Templates
Draft communication templates which incident response teams can complete to quickly prepare any necessary communications. Formal notifications should be developed for the Board and management team, customers, Regulatory agencies, Affected people and Employees.
- Notifiable Data Breach Notification
- Communications to Customers – First Notice
- Communications to Customers – Second Notice
- Communications to Employees
- Communications to Board
- Communications to Regulator
- Media Release
Download our Crisis Communications planner to get free templates for Internal Notifications and Data Breach Notifications
Managing Media Enquiries
Public Relations
No matter how good your security is sometime incidents can occur that can have a significant impact to your customers, employees, stakeholders and business reputation.
Effective and timely communications external stakeholders during a security incident is critical in maintaining trust and transparency and will go a long way to mitigating the risk of losing customers, breaching regulations and experiencing a loss of trust in the market.
The Media
During a significant event the incident handling team should have access to an established media communications procedure that complies with the companies policies on media interaction and information disclosure.
When discussing incidents with the media, companies often find it beneficial to designate a single point of contact (POC) and at least one backup contact. The following actions are recommended for preparing these designated contacts and should also be considered for preparing others who may be communicating with the media:
Conduct training sessions on interacting with the media regarding incidents, which should include the importance of not revealing sensitive information, such as technical details of countermeasures that could assist other attackers, and the positive aspects of communicating important information to the public fully and effectively.
Establish procedures to brief media contacts on the issues and sensitivities regarding a particular incident before discussing it with the media.
Strategies to help you communicate effectively with the media
- Maintain a statement of the current status of the incident so that communications with the media are consistent and up-to-date.
- Remind all staff of the general procedures for handling media inquiries.
- Hold mock interviews and press conferences during incident handling exercises.
Download our Crisis Communications Planner to get a list of questions Media may ask you.