Plan now to avoid a communications failure after a cyberattack

Responses to recent cyber breaches suggest organizations can struggle to get the message right in the midst of an incident. While managing the communications around an incident is outside the direct purview of the CISO, having an existing communications plan in place is an essential element of cyber preparedness.

“Communications are a critical component of a good cyber strategy, and it should be prepared and practiced in organizations before an incident occurs,” says Eden Winokur, head of cyber at Hall & Wilcox, which helps companies with cyber incident management among other things.

Cyber preparedness should include a communication plan

Winokur’s advice is to err on the side of transparency, while ensuring accuracy when it comes to responding to a cyber incident. “Cyber is not just an IT risk. It really is an enterprise risk, and a key part of cyber preparedness includes a communication strategy within the organization and with external stakeholders.”

If it is a significant incident, it’s vital to engage with people who have specific experience in dealing with cyberattacks. “We often recommend bringing in experts to help companies understand the implications of their communications and how certain things will be received by the public or the media,” Winokur notes.

While there’s little official guidance provided by associations or government on developing a communication plan, the communications team in conjunction with senior leadership, legal and the CISO’s team should have input into developing the response. It needs to consider duty of disclosure requirements for privacy regulations, listed companies and law enforcement bodies.

Winokur recommends starting by analyzing and recording all relevant organizational stakeholders, internal and external, and keeping this record updated as things change. “We also recommend companies go through their key contracts and understanding what their obligations are when it comes to communicating with customers.”

Prepared statements that have already been approved can be adapted quickly and will lay the foundation for an organized response. “There needs to be templates that can be tailored to the specific issue at play,” says Winokur. These can go out to employees, government, stakeholders, customers or clients, on the website and any other place that may be needed.

Do not rush post-breach stakeholder communication

When cyber incidents first break, it’s often a case of known unknowns, and the urge to reassure and even contain the incident is strong. But the need for accuracy is paramount, warns Andrew Moyer, executive VP and GM with Reputation Partners, which handles crisis comms. “You want to be the one out there, planting that narrative flag first,” he says. If organizations get ahead of themselves and issue definitive statements, based on the understanding at one point in time only to recant or change them later, it can spell a bigger disaster.

Suddenly, a cyber incident turns into a full-blown PR crisis. If things change, as they tend to, it can raise questions as to the credibility of the organization. “What you don’t want to do is say something with such specificity that you risk having to walk it back and you lose credibility,” says Moyer.

With cyberattacks becoming more regular every year, the general public has a certain level of understanding, and even expectation, about incidents occurring. As a result, Moyer believes people are more comfortable with qualifying statements, so “you’re not painting yourself in this absolute corner”. Instead of aiming for exact numbers, for example, he recommends using language that includes “relative scale terms such as ‘We’re aware it’s a limited number of individuals impacted’ as opposed to ‘we think it’s 1,000 people.’”

Anyone in a frontline position needs an early warning sign something has occurred and a direct line with decision makers to raise the question of when it’s necessary to activate the crisis plan. “It’s critical, as part of any communication strategy, to ensure you’re accurate and to acknowledge if an investigation is ongoing, and to make that statement over and over again. Some of that comes down to building those materials as templates early so that people have done an initial review and sign off. And you can move a little quicker,” Moyer says.

How to ensure a good post-incident communication plan in place

An existing communication plan will have mapped the information flow to ensure the right people are informed quickly enough to organize themselves and disseminate the information so that everyone is getting a consistent message. It can establish the crisis response team, that includes the CISO, the communications lead and HR, if it’s an internal breach. The aim is to have everyone understand their role and responsibility in this particular response as well as the organization’s preference for the balance between speed and accuracy.

However, a plan is only as strong as its testing. “Reviewing gives you that regular ability to evaluate your risks. Are there new ones we weren’t thinking about last year that we need to plan against? Are there gaps and vulnerabilities that we can address?” Having a fully developed plan means avoiding the problem of relying on the collective memory within the organization about how crises are handled. “It also ensures that if you’re the person with all that institutional knowledge, and you retire or leave, there’s something to turn to in the event of a breach,” says Moyer.

When it comes to cybersecurity there are a list of things to consider, which might include notification requirements at the state, local, federal and international levels, contract provisions with partners, or customers and so on. This is why Moyer recommends having external counsel and crisis comms on speed dial. “Having those relationships set up in advance again, just allows you to move more quickly in the moment.”

There may also be a time to pull back on the communications because it can potentially make the situation worse. External communications advice is helpful here. “They can evaluate key criteria to decide if you need to shift your posture from more reactive to more proactive. Do we need to change the messaging or the narrative that we’re going out with?” Moyer says.

For CISOs, Moyer recommends having a good operational plan in place and communicating that internally to other stakeholders, while also understanding how their operational response fits into a communication response. It’s a two-way street. “So communications folks understand the operational response and the operational response team—CISOs—understand what the communications response should look like,” he explains. “It’s encouraging them to drive that connection between those functions, if it’s not currently taking place.”

“It’s not to overburden someone focused on a critical operational response with communications; it’s just ensuring that flow of information, the structure and the process in place in an organization allows for the best chance of that occurring.”

Why incident detection sets the tone for communications

Early detection isn’t just vital for limiting the damage, it’s integral to managing the response. Paul Black, partner in KPMG’s forensic services who specializes in cyber incident response, says the way organizations discover they’ve suffered an incident can determine how they respond to it. He commonly sees organizations not realizing there’s been a breach until sometime later, sometimes when their data starts appearing on the dark web. “There’s often a panic response and panic communications because it’s quite commonplace for organizations to learn from a third-party, whether it be a client or a customer, or even a competitor, law enforcement or regulator, data is out there on the dark web. So, they can’t necessarily get ahead of this,” Black says.

If they can quickly understand the root cause, it paves the way “to make sure the right stakeholders are brought in, the right notifications are made, the data can be managed and the communications with third parties can be managed appropriately,” he says. “The detection and awareness element actually connects to the communications element, because the sooner you know, the better you’re able to understand and feed through information. And maybe that connection hasn’t always been really explicit in the security space and for CISOs.”

Black recommends organizations utilize their cyber insurance where it covers PR and crisis communications. It can help in responding to incidents, especially in discussions around the “Crown jewels” in the organization and how to handle disclosure obligations. In some cases, the means of communications may be part of the problem, such as in the case of business email compromise (BEC), so it may need to be shut down for a time, only adding to the challenges. Above all, having an established chain of command for managing incidents that factors in the internal and external communication aspect is vital.

Another consideration is that communicating internally is as good as disclosing externally in the age of digital communications. “These things can be incredibly sensitive. It may not be appropriate to release communications internally to say: ‘we’ve suffered a data breach, we’re investigating it’ because the next day it could be on the front page of the newspaper,” he says.

Black also encourages CISOs and senior leadership to make the time to run through simulated scenarios to stress test the response plan. “It’s getting senior leaders sweating in a scenario which walks through a cyberattack, and not necessarily something that fits in with a pre-canned incident response plan,” he says.

He advises CISOs not to avoid challenging exercises and just settle for an insight session for fear of potentially embarrassing senior leaders within the organization. “That’s the worst thing possible because you want people to be put under pressure by running through a scenario in a safe environment. That’s how incidents work, it’s immense pressure.”

“The best outcome is if that organization walks out with 100 gaps identified and everyone’s got a list of 20 action items that they need to fix. That means collectively you’ve identified where the response capabilities are not up to scratch, can address them and then uplift your capability,” Black says.

“The organizations that respond most effectively have invested the time in challenging themselves and their senior leaders and learning from those exercises.”