Light Dark
October 30, 2019 By Koen Van Impe 5 min read
Incident Response

If you work in incident response, you’ll recognize this scenario all too well: It’s Friday night and you just started the book you’ve been keen on reading for a couple of weeks when suddenly, you hear your beeper buzzing. The display reads that the security operations center (SOC) escalated a security incident for an intrusion taking place on your company’s customer database.

Not to worry, though. You prepared for the possibility of a data breach and have an incident response plan ready for this kind of incident. Your team is well aware of the data breach risks associated with possible unauthorized access to the customer database. Your plan includes how to escalate matters to management, how to report issues to your data protection officer (DPO) and instructions for the IT team to preserve evidence, contain the threat and recover from the incident.

There’s nothing more to do, right? Not quite.

Take Control of Incident Response Communication

Incident response processes often only focus on the technical aspects of proper procedure. While we’ve already included escalation points to management and can foresee direct lines with the legal and human resources departments, there’s one crucial element that is frequently overlooked: communicating with your stakeholders.

One common data breach risk is this type of news spreading fast, and it’s often uncontrolled. Your incident response training and plans can prepare for a data breach, but they will not help you if, as a result of a miscommunication, your entire focus is on damage control instead of explaining what exactly has happened. It is essential that you remain in control of communications of this nature during and after a security incident.

The PR team for your organization is exactly the team that can help you accomplish this, but some planning and preparations will be necessary to ensure their support.

Identify Your Stakeholders

First, start by identifying your stakeholders for communication. Not every stakeholder requires the same level of detail or frequency of communication, but you have to identify these needs up front. This is where the PR team can provide valuable input, as they have already established these communication channels and should have a good idea of stakeholders’ expectations. For each group of stakeholders, it’s important to determine the following:

  • How you can reach them — take note if there are dedicated communication contacts at both ends.
  • The level of technical details they will expect.
  • The expected frequency of updates.
  • Decide if communications to the stakeholder group should occur publicly or via closed channels. For example, you might reach out to your customers through a press release and your board of directors through conference calls.
  • If you have previously included the contacts in exercises to prepare for a data breach, then use any lessons you’ve learned to further refine the information you provide.

Don’t forget about employee communication. It’s important to keep your employees aware of the incident and ensure that they hear the details from you and not from the media. Having employees on board during a security incident can help you resolve the matter more quickly and maintain trust in your organization at the same time.

Communication Templates and Finding the Correct Tone

Finding the correct tone during a crisis can be challenging. Additional data breach risks may be created if stressful emotions are allowed to take over during communication, especially when companies discover they have just been robbed of their data. To avoid having to come up with a text in the heated moment of an incident, it’s best to prepare a set of templates with the PR team that can be used to inform different stakeholders.

Here are some key elements to consider as you develop these templates:

  • Decide which elements you want to disclose or highlight during communications. This can include describing the types of data and consequences associated with the breach, especially if there’s a risk of losing personal or sensitive information. You should also decide what type of attribution you want to include in your communications, if possible. Non-public information for certain stakeholders might include attribution, while public communications might be more generic.
  • Always use the Traffic Light Protocol (TLP) in your communications. Verify that your stakeholders understand the schema. It may be expedient to share the schema across your channels.
  • Be aware that some communication can have legal consequences, as a public statement may be admissible in court if a lawsuit is filed.
  • Be sincere about what happened. Do not create templates that downplay an incident, as this can be disrespectful to your customers.
  • If you’re still searching for answers, say so.
  • Make sure your templates include contact information for stakeholders to reach out if they have additional questions.
  • Remember to tune your communications for social media. Twitter messages might be different from Facebook posts or press releases.

In your communications, always take responsibility for what happened and provide an indication of what steps have been or will be taken to protect your customers and how the situation could influence your services to them.

Develop a Communication Process

Next, verify with your PR team which types of incidents (based on impact or severity) will require their involvement. It’s essential that the incident response team and the communication team are on the same page, so make sure your taxonomy is understood by the PR team. Appoint a dedicated technical liaison for the communication team who can assist with the translation of technical concepts into language that is clear and understandable by the intended audience.

During the communication process, you need to include controls that help you decide which parts of the incident you want to disclose. Remember that making a public statement means letting attackers know they have been discovered. This could cause them to erase their tracks or conduct further retaliation attacks. You will need to evaluate disclosures on a case-by-case basis, but it’s worth thinking about these scenarios up front.

Your process should also include verifying whether your internal teams can handle the communication flow or if external help will be required, especially after the incident.

Incident Response Tooling

You should be able to rely on your organization’s communication tools during an incident, but it’s always good to prepare for the worst.

  • Set up a status or communication web page outside your organization. Having a backup internet connection (for example via a mobile phone) to update these pages might also be necessary.
  • Social media provides a widely accessible means of communicating, but beware of miscreants creating fake social media accounts and impersonating your organization. If you can, preregister social media accounts with names resembling your official accounts.
  • Foresee feedback loops in your tooling and verify that communications have effectively reached your stakeholders.
  • If you need mass communication, evaluate how you can send out text messages, social media posts and press releases at the same time with more or less the same content. The European Union Agency for Cybersecurity (ENISA), for example, published guidelines for secure group communications for incident response and operational communities.

Ultimately, you cannot overlook the communication component in your handling of security incidents. It is crucial that you ensure communications are supported by the team that’s best suited for the task, the PR team, who should be considered essential players in your incident response process.

 |  |  |  |  |  |  |  |  | 
Koen Van Impe
Security Analyst

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature