Op-Ed: Security incident response is no longer just a technical issue, it is full-scale crisis management

Wise organisations with a focus on risk have always invested in crisis management and business continuity planning.

Recent attacks have laid bare organisations that have failed to plan. They have been caught in the glare of negative media reporting, disgruntled customers, and government action that have affected recovery efforts, damaged reputation, and punished shareholder returns.

Traditional crisis planning has focused on technical remediation and prevention plans, but it must also consider the wider implications to brand, reputation, and ongoing viability. Incident response teams are now full-scale crisis response teams. They must be cross-functional and involve the board, senior leadership, human resources, legal, finance, public relations, marketing, as well as technical teams.

Organisations require plans for how to communicate during an incident at rapid speed with customers, staff, government, law enforcement, the media, suppliers, partners and the wider community. One of the most important lessons learnt from recent cyber attacks is that how an organisation communicates about a crisis is as important as what it does about a crisis.

The 5 elements of effective incident communication

Effective communication about an incident needs to be factual, avoid speculation or premature drawing of conclusions, and not use emotive language. It may be appropriate to present information in different ways for specific audiences, but messages must remain consistent and focus on five key things – who, what, why, when, and where.

Who: It may be tempting to jump to attribution and blame, particularly during the initial stages of the response. However, the focus must be on communicating with those impacted by the incident. In some incidents, attribution may be a criminal matter best left to law enforcement agencies.

What: In an emerging situation, it may be difficult to describe exactly what has happened. Deal only in facts and communicate new information as it comes to hand and is verified. Don’t speculate. Be honest and transparent, and don’t try to hide anything.

VIEW ALL

Why: This is closely tied to what happened. If there is a plausible reason that explains why the incident occurred, then it should be articulated. For example, a ransomware incident is likely to be financially motivated.

When: A timeline of the incident is important from a forensic perspective and for assuring impacted parties that you have been investigating the issue and are notifying them as soon as possible.

Where: Depending on the nature of the incident, it may be the case that only a subset of potentially impacted parties might be affected. Being clear about this helps allay fears.

Don’t wait for a crisis, be prepared and ready in advance

It is too late to start trying to work out how to communicate, who to communicate with and when to communicate when a full-scale incident is unfolding, and the spotlight of media attention is on you.

Communication plans must be included alongside technical remediation plans. Risks and likelihood should be mapped in advance, with strategies and draft materials ready in case they are ever needed to be actioned. The organisation should rehearse and practise their communication plans and make sure all team members understand their roles.

It is critical that communications are tailored to the needs of each audience. A message to customers will be different to that provided to trading partners or to the media. While the facts will be the same, the style may be quite different.

One of the keys to effective incident response is readiness. Carry out a risk assessment so you understand the sorts of cyber incidents you may face. Create plans for how you would react to each type of cyber security incident. This includes knowing who you must notify, how to communicate with each impacted party and the timeline for communication. For example, communicating with customers may come before authorities if regulatory timelines allow.

Prepare drafts for all important crisis communications around the cyber security incident. Having draft materials prepared and approved with placeholders for incident-specific information will save time for the communications and senior leadership team and allow you to focus your energy on responding to the emergent situation.

Repairing the technical damage following a crisis may be costly but ultimately relies on access to funds, skills, and time. Technical damage is relatively easy to repair. Reputational damage is much harder to fix. It can result in customer losses that may take years to recover. Clear and timely communication is a critical element of effective incident management. This applies during the incident and in its aftermath as your organisation maintains and rebuilds trust with stakeholders about what it has learnt and how it has improved operations to avoid the same issue occurring again.

Mark Jones is a senior partner at Tesserent.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.