July 15, 2024 By Jennifer Gregory 5 min read

Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.

Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success and revenue. However, effective crisis communication helps increase customer trust in your business’s ability to recover and manage the issue. By preparing for crisis communication before an incident and then following a solid plan, you can steer your organization through the storm.

How to plan your cybersecurity crisis communication

Successful crisis communication begins well before any cybersecurity incident begins. Some companies include cybersecurity crisis communication as part of their overall disaster recovery plan, while other businesses have a standalone plan.

Melanie Ensign is the founder and CEO of Discernible, a multi-disciplinary Communications Center of Excellence for security, privacy and risk teams. Ensign says that many companies sleep on security until something goes wrong and then they are trying to earn the benefit of the doubt in an unfavorable environment.

“When I work with clients, I ask them if something were to happen tomorrow, what would you want to be able to say? What do you wish was true, that you would be able to say in response to this incident?” says Ensign. “They tell me how they want to show up as a company, what values and characteristics they want to express. We then work to make all of those things true because if it’s not true, we can’t say it.”

Here are three keys to building the foundation needed to successfully manage a crisis.

1. Create a crisis communication committee

Have a team of employees responsible for collaborating across the organization and managing all communications when an attack occurs. This ensures that communication does not fall through the cracks and reduces the spread of misinformation. Create a team that includes members across the organization involved in cyber response, such as legal, cybersecurity, general management and PR.

2. Create a crisis communication plan

After the committee is assembled, one of the first priorities is to detail all tasks and determine who the responsible party will be for all communication after a cybersecurity incident. Ensign says it’s important to get all key executive decision-makers to agree in advance, or they are likely to make up their own plan once they feel uncomfortable during the incident. She also says a plan is essential to provide a playbook if a key decision maker is unavailable during an attack, then another leader can easily fill in.

Because cyberattacks can involve many different schemes, from ransomware to data breaches, the plan should identify as many scenarios as possible and then detail an appropriate draft for each of them. The plan should also include communication points with other departments as well as the channels used, including email, website and social media.

“You need to be able to demonstrate to regulators that you had a plan and that you followed it. Sometimes, you may need to deviate from the plan. We learn things through incidents where we need to tweak our plan because this wasn’t exactly what we needed it to be and a plan helps justify all of those deviations,” says Ensign.

3. Conduct breach simulations for the entire team

While many organizations rehearse cyber response with the technical team, you should also include crisis communication as part of the simulation. Because a real attack is very stressful for everyone in the organization as well as outside stakeholders, practicing the response reduces tension, anxiety and potential errors.

Explore incident response services

What to do during a cybersecurity crisis

Once a cybersecurity attack is identified, it’s time to put your crisis communication plan into action. Because real situations often vary from plans and emotions are high, it’s vital to keep the following in mind throughout each step.

1. Communicate quickly and with as much transparency as possible

The quicker you communicate, the fewer rumors and less speculation will appear. As soon as you have basic information about the attack and the impact, share an initial statement that clearly explains what happened and any changes to business processes. If the attack was due to a mistake by an employee or the company, take responsibility. Explain how the company will communicate updates, such as through social media or a dedicated webpage, as well as a timeline for future updates. The first communication should also include any steps that people potentially affected should take, such as changing passwords or monitoring their accounts.

2. Set up a process for consumers to get additional information

Let affected customers know how to get additional information for their specific situation, such as a phone hotline or dedicated email. Make sure these channels are continuously monitored and that questions are responded to quickly. After the recent Change Healthcare breach, the company set up a dedicated website for information that also included a phone hotline.

3. Update communication regularly

Because a cyberattack is an evolving situation, you can rebuild trust by keeping in regular contact with all affected parties. By providing updates, you let customers know that you are taking the situation seriously and are taking action. Change Healthcare created a detailed webpage that provided the status of all business functions as well as the expected restoration date of each, which was updated daily during the height of the recovery.

“Your customers and people impacted by the incident are going to care about it far longer than the media,” says Ensign. “Just because it’s not in the media anymore doesn’t mean that it’s not important to continue communication.

4. Share how the organization will reduce risk in the future

After the SolarWinds attack, the company brought in Alex Stamos, former Facebook and Yahoo security chief and current professor at Stanford University, and Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), as independent consultants for SolarWinds’ recovery, which improved confidence in the organization’s future cybersecurity. SolarWinds also made significant changes in its security layers to reduce future risk, which they communicated to the public.

Have a communication plan in place

A cyberattack contains many unknowns and is a complex situation. By having a solid plan ready and a team to manage the communications, you can easily make changes based on the specific situation. With effective crisis communication, your company can get to the other side of a cyberattack with even more trust from your customers based on your response and communication.

“It’s important to have all communication plans, programs, assets, material, relationships in place before something happens,” says Ensign. “When that day comes, because we all know that day is coming, you have all of those things at your disposal and you can actually show up the way that you want to.”

IBM X-Force Cyber Crisis Management consultants can help communications teams build a customized, robust crisis communications playbook, adapted for response to major cyberattacks and your business’ preference of scenarios. The team can help integrate the communications stream into your cyber crisis plan, or uplift outdated plans and ensure they comply with today’s industry standards. In addition, X-Force Cyber Crisis Management consultants can run an immersive simulation that will include your communications team, helping to create muscle memory ahead of any potential cyber crisis.
To learn more about our Cyber Crisis Management services, click here.

Now that we have discussed what TO do regarding communication in a crisis, check out our next story in this series, Crisis communication: What NOT to do.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today