Cybersecurity incidents have typically been viewed through a technical lens. Thatโs not surprising given most attack vectors use different forms of technology to overcome defences and then attack data and access to systems through vulnerabilities and exploits in applications. But the impact of a cybersecurity incident reaches far beyond the IT department. It is now in the realm of organisational full-scale crisis management.
Cybersecurity crisis management must go beyond technical remediation and prevention plans and include the wider impact to brand, reputation and ongoing viability. Cybersecurity incident response requires a multi-disciplinary incident response team. That team must involve the board, senior leadership, public relations, marketing, human resources, legal, finance, and technical teams.
The reach of a significant cybersecurity incident goes far beyond the loss of data and access to systems and frequently now brings the added pressure and spotlight of media attention. Every organisation operates within an ecosystem of customers, suppliers, employees, regulators and other stakeholders. An effective cybersecurity crisis response plan must consider that environment. Communication with each stakeholder must be focussed on what they need to know without embellishment. Effective communication captures five key elements:
- Who is impacted by the incident.
- What happened and what actions are you taking. If there is an explanation for the incident state it clearly without emotion.
- Why did the incident occur. For example, was it financially motivated?
- When did the incident occur and when was it detected.
- Where did this happen? For large organisations operating in multiple locations, itโs important to be clear about whether only specific areas are impacted.
The key to effective incident response is preparation. When you look at the responses to different incidents that are reported in the media, itโs clear which organisations have an effective response plan, and which are flying by the seat of their pants with poorly prepared media spokespeople. This planning process starts with effective risk management.
First, identify all the risks your organisation face and rank them in terms of severity and likelihood in your risk matrix. If you are in any doubt about how to do this, ISO 31000 provides guidance for creating and maintaining a risk management framework.
For each risk that falls towards the top right corner of the matrix โ risks that are more likely and have a significant impact โ plan how you will mitigate those risks and what will you do if those risks occur. This is where your communication strategy needs to be clear.
For each impacted stakeholder group and risk, prepare communication response templates. For example, if the organisation deems that a ransomware attack has a high likelihood and impact, draft communications for all the potentially impacted stakeholders. This could include media, staff, customers, partners, and shareholders. Also, ensure you know how youโll reach them during the incident. Itโs possible you wonโt have access to your normal email system. If thatโs the case, how will you alert people in a timely manner? You may need to have a backup communications system in place if you deem the risk significant and have the resources to put such a system in place.
Timely and effective communication that provides useful information without trying to obfuscate the severity of an incident is critical for maintaining trust during a crisis. It shows that the organisation has considered the risks and prepared a response. Effective communication will also take the pressure off contact centres and other communications channels, reducing pressure on staff during a stressful time.
The technical damage to data and systems following a cybersecurity incident can be repaired. It may be costly but access to funds, skills and time will remedy the damage.ย But the impact on customer trust and organisational reputation is far harder to repair. Customer losses following a poorly managed incident may take years to restore.
Effective, clear and timely communication is a critical element of effective incident management. Providing relevant information from the moment an incident is detected, through to recovery and in the aftermath is proven way to minimise reputational damage and restore trust with customers, partners and other stakeholders and reduce the risk of negative ongoing media reporting and speculation.