How to communicate effectively after a security incident

 

 “There are only two types of companies, those who got hacked and those who will be.” – Robert Mueller, Former Director of the Federal Bureau of Investigation

Today’s cyberthreat landscape has increased in size and complexity at an alarming pace, and more and more organizations feel the pressure of protecting themselves against security incidents, such as DDoS attacks, Mirai, phishing and Ransomware. According to Verizon’s Data Breach Investigations Report 2016, “no locale, industry or organization is bulletproof when it comes to the compromise of data”.

While organizations have understood the need for effective cybersecurity protection, many are still at a loss when it comes to effective post-incident communication – a key requirement for successful incident response. We’ve gathered a few handy guidelines that will help your organization communicate effectively after a security incident.

 

1. Prepare a Post-Breach Communications Plan

“When a data breach happens, there is nothing worse than trying to figure out how to manage the crisis on the fly as it is still happening.” – Harvard Business Publishing, 2016

A well-defined post-breach communications plan can play a major role in minimizing the negative impact of a breach and protecting the organization’s reputation in the process. The main objective of a communications plan is to define how your organization will respond to a security incident. To ensure that your plan can be implemented easily when the time comes, make sure that you have sign-off of senior management, that the plan is updated regularly and that it is accessible to all relevant stakeholders who will be involved in managing post-crisis communications (TechTarget, 2010).

“Develop your crisis communication plan when you have time to think clearly and put forward your best, most thoughtful work.” – Maya Pattison (Barkly, 2017)

More often than not, organizations are struggling with proper communications in the wake of a major breach, not only because they are overwhelmed with the inherent risks, but also because they lack the necessary time to outline a comprehensive plan on the fly. In fact, the best time to prepare your post-breach communications plan is not tomorrow, not next week, not in two months – it is now.

Your post-breach communications plan should include the following elements at a minimum:

• Step-by-step instructions to follow after an incident
• Overview of the crisis communications team, including contact details, roles and responsibilities
• Overview of available communication channels, including best practices for each
• Overview of internal and external stakeholders to be notified in case of a breach
• Relevant communication templates, e.g. employee announcements, FAQs, social media posts, press releases and other official statements 

 

2. Appoint an Crisis Communications Team

Each security incident should be handled by a dedicated team of qualified resources who will be able handle the entire lifecycle of post-incident communications as quickly and professionally as possible. Ideally, your crisis communications team should be cross-functional and include as many different functions as necessary. Somebody from your IT team will be essential in remediating the damage from a technology perspective, HR can assist with appropriate messaging and/or training for employees, Marketing and PR can help direct press enquiries and manage public-facing communications, Legal can clarify whether the incident has any legal implications, Senior Management can make critical decisions and be your official spokesperson etc. Regardless of how many members your crisis communications team will have, make sure that roles and responsibilities are clearly defined to avoid confusion or duplicated efforts (Continuity Central, 2017).

Unfortunately, only a small number of organizations have a dedicated pool of skilled resources who know your environment intimately and can join you in your post-incident mitigation efforts, and many struggle with recruiting and maintaining their dream team of specialized security staff. If your organization is too small to appoint a well-functioning crisis communications team, solicit the guidance (and manpower, if needed) of a third-party provider in the wake of an incident. Security service providers can offer you excellent incident response management on a 24/7 basis, and can easily guide your team on what to do when you’ve been hacked.

 

3. Identify Internal and External Stakeholders

A myriad of stakeholders may be affected during and after a security incident, and your communication strategy should be take all relevant stakeholders into account to ensure that the appropriate information is communicated to the right people at the right time (Centre for Cyber Security Belgium, 2015). Internal stakeholders include senior management, the board of directors, business managers and employees. External stakeholders include the media, customers and partners, vendors and third-party incident response teams (TechTarget, 2010).

One of the first things to do after a security incident is to determine who you should reach out to, and what information you should share to keep them up to date. Here are a few examples of how you can tailor your communications to different stakeholders:

• Senior management will need to know to what extent the security incident has affected business operations, what the projected damage will be for the organization, and when operations are expected to be back to normal. C-level executives are often required to provide official statements for press enquiries, and need to be briefed for potential interviews by the in-house marketing or PR department. If there is considerable damage to the organization’s financial standing, reputation or brand, the board of directors will have to be advised as well.
• Employees will need to know whether they can continue their work without worry, whether there are any precautions to be taken going forward and how long the situation is expected to last. Employees with customer interactions will need to be briefed on how to communicate the security incident to customers, preferably by a “how to guide” or a document that provides answers to frequently asked questions.
• Customers will need to know whether they are potentially impacted by the security incident, in what way they may be affected, whether their personal data has been stolen or not, what your organization is doing to repair the damage and whether they need to take action in some way. Also, you may want to provide a recap of what’s happened and guide customers to the appropriate channels in case of questions or concerns, such as a phone hotline or a dedicated email address.

 

4. Choose your Communications Channels

In today’s ever-changing IT landscape, organizations can use multiple communication channels to bring their message across effectively, depending on its purpose and on whether your security incident needs to be communicated publicly or not.

• Email: All employees should receive email communications to make sure they’re aware of what’s happening as early as possible. For customers, partners and suppliers, prepare a series of emails that will update them regularly on the breach.
• In person: If you can, assemble your employees to share the news in person, and be ready to answer their questions.
• Website updates: If you need to inform the general public, make sure to include the latest information about the incident on your website’s homepage, and update it as needed.
• Social media: In addition to updating your website, you should consider using social media channels like LinkedIn or Twitter to share updates on how you’re handling the crisis. Make sure that your social media team is briefed on how to monitor social media coverage, and what to respond in case of negative feedback.
• Phone calls: If you think that your breach may cause concern among your customers, make sure to ramp up your sales team to call your customers one by one. Personal outreach may help maintain relationships with your customers, and prevent confusion or uncertainty.
• On paper: Although we’ve entered the digital age, printed notifications may still be valuable to distribute on employee desks and pin to pin boards for quick reference.

Regardless of what channels you decide to use, make sure to remain transparent, show remorse about what happened and never sugar-coat anything. Bad PR examples from industry giants such as Target have shown that inaccurate or hasty posts can be counterproductive, and can shake customer trust. Melissa Agnes, international crisis management strategist and keynote speaker, suggests clearly communicating “how this breach affects those impacted, what they should do to immediately protect themselves and where and when you will provide them with another update”.

 

5. Timing is Everything

Once you’ve determined who you will communicate with, what you will say and which communication channels you will use, make sure to respect the recommended time frames for when you will do so. The timing of your post-incident communication should be adjusted depending on who receives it and how soon he or she needs to know (Centre for Cyber Security Belgium, 2015).

• Certain stakeholders will need to be informed as soon as possible after a breach, e.g. your crisis communications team and executive management.
• Once the details and impact of the breach have been confirmed, your employees will need to be advised as a second step.
• If the security incident affects your customers or partners, make sure to distribute official communications and follow up with additional communications, if necessary.

In fact, communicating too early or too late can have disastrous consequences during a crisis. If you communicate too early, you may be sharing incomplete or inconsistent information and create confusion and uncertainty. If you communicate too late, you may lose stakeholder trust in your credibility and ability to handle security incidents in a timely manner.

 

6. Evaluate and Improve your Performance

According to the Institute for Public Relations (2014), a crisis should be seen as a valuable learning experience, and “every crisis management exercise should be carefully dissected as a learning experience”. Once the security incident has been resolved and you’ve implemented your post-breach communications plan, make sure to revisit your plan and measure your performance to prepare for future potential incidents. Gather your crisis communications team for a post-mortem discussion to evaluate how you’ve handled your internal and external communications during and after the incident. The following questions could help guide your discussions:

• Has incident-related information been communicated to all relevant stakeholders?
• Has information been communicated in a timely manner?
• Have we used the appropriate channels for our messaging?
• Have we received any feedback (positive and negative) on how communications were conducted? What can we do to improve?
• Does the communications plan need to be updated?
• Have we documented our communications for future purposes?

 

In Brief

“Speed matters, transparency is critical, and owning the breach is important.” – Barkly, 2017

When it comes to communicating effectively after a security incident, preparation is key. A well-executed and well-prepared communications plan that is endorsed by key stakeholders, together with a dedicated crisis communications team who will manage internal and external messaging, can make all the difference. If your communications remain transparent, timely and targeted at all times, you are well on the way to mastering the art of post-breach communications.

On a final note, effective communications can not only prevent substantial customer churn or irreparable reputational damage, they can also strengthen your position. According to Deloitte’s 2016 Privacy Index, “33% of customers reported actually gaining trust in an organization after being alerted by the company about a breach”. If you see a security incident as an opportunity to strengthen customer relations rather than a threat, you may actually come out stronger after a breach.

---

Want to find out more about how your organization can better respond to security incidents on a 24/7 basis? Check out our case study below to learn more about the value of managed security services and incident response management for protection your organization’s data.