No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents.

But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into that cost. While no one has mapped out the exact cost of poor communication — or the cost mitigation of good communication — the fact remains that how you communicate affects your costs, recovery time, and reputation.

We’ve heard it stated this way:

A precise technical plan can make sure you have a network that runs once a breach is remediated. A precise communication plan can make sure you still have a business to run when you’re back online.

Having an airtight response that spans the whole organization — technical and business — can be a significant cost mitigator during a breach.

Why a standard crisis communication plan won’t work

Organizations are beginning to understand the cost of poor communication during a breach —  through vicarious learning — largely by watching how other companies communicate (both good and bad). And what’s even more important to watch is how customers, public and the media respond. But even with some stark examples of mishaps and their accompanying consequences, many companies still don’t have a communication plan in place.

Worse, some organizations think they’re prepared for a cyber crisis because they already have a disaster communication plan in place — and that there is no need for a cyber-specific communication strategy. Usually, those plans are geared toward responding to a flood, earthquake or other acts of nature.

Those are totally different beasts than a cyber crisis and can gently lead organizations into a false sense of security (no pun intended) about their communication abilities. And admittedly —  hearing that response sends shivers down our spines. Different types of crises require different response plans.

Here’s why.

During a cyberattack, your organization’s usual modes of communication may be down. Or worse, they may be compromised. That means threat actors could have access to your email, Slack or other communication methods — in which case, they’ll know the moment you spot them, what you’re doing to respond, and use that to stay one step ahead.

More importantly, there are some critical differences in what you communicate, when, and to whom during a cyber incident. Your internal stakeholders are different during a cyber incident and often include teams that don’t normally rely on one another. As a rule, few of these points are covered in a standard disaster communication strategy. That means when a cyber incident occurs, you’ll be left scrambling to figure out who needs to know what and when — and because many industries and geographies have timely reporting requirements, you could also face stiff fines and penalties.

There’s an old communication adage that reminds us that whoever delivers the news first, owns the message. A cyber crisis is a situation in which you want to own the message, and not end up in reactive mode, trying to manage speculation from customers or circulating in the news and social media.

💡 Related: I’d Like to Buy a Vowel: The Price of Poor Communication During a Data Breach

Communication in a cyber crisis: Who, when and how

Perhaps one of the biggest challenges unprepared organizations can face in cyber crisis communication is internal communication when an incident occurs. A robust cyber crisis communication plan will identify a dedicated interface between your comms team and the IT department or incident responders working to remediate a cyber event. A necessity for success is ensuring that you have a high-level technical fact sheet that IT teams can fill out during an event and provide information to communicators.

Once complete, that fact sheet needs to be passed to someone on the communication team who has the skills to translate it quickly and accurately into terms that everyone can understand. This translated document then becomes your communication seed document and your single source of truth during an incident, helping to eliminate speculation and keep all your teams on message. A technical fact sheet, predefined and clear lines of communication between IT and comms, and an accurately translated seed document are elements that are seldom included in a traditional disaster communication plan.

An equally important step is determining who your stakeholders are and how you will communicate with them. These will be different for a cyber event than for a natural disaster and identifying them up front will reduce confusion and help ensure you save time, money and preserve your reputation during a cyber crisis.

Each group requires a similar but distinct message. You should know what information each group requires and on what cadence. For example, customers may want to know if their data was compromised and what measures the organization is taking to address the issue, while employees may need to be informed about the impact on the company’s operations and any contingency plans. The media may require regular updates on the remediation status.

A solid cyber crisis communication plan will also include a stakeholder map — both internal and external — to help you align messaging accordingly. Some questions your map should answer are:

  • Who is my dedicated contact in IT? What information do I need from them to accurately communicate about a cyber event?
  • Who are my key internal and external stakeholders? (Pro tip: Make sure you include your Board of Directors)
  • What do I need to tell them and when?
  • What channels will I use — and do I have backup channels if primary channels are inoperable?
  • Who needs to approve communications — and when?

It’s helpful to use your stakeholder map to create templates and holding statements for each audience so your organization is better prepared when a crisis happens.

Your organization’s communication needs to be swift, meaningful, and come from a reputable source. Some organizations choose to have their CEO or CFO be the main point person for public comments (guided by PR or Communications), in addition to identifying a key spokesperson for internal communications. A robust cyber crisis communication plan should include who will provide updates, where the updates will be given, and identify backup individuals for both roles.

Requirements to notify regulatory and other authorities

Depending on the geography, industry or industries in which your organization operates, breach notification requirements can vary with regional and local laws. These rules can include regulatory requirements, international customer data loss and special data, such as compromised healthcare data. Specific requirements organizations may be subject to include the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and others. However, in almost all cases, breach notifications must be immediate or within 72 hours of finding out about a breach.

In some cases, regulators require using their templates and certain analyses to be provided, such as data impact analysis.

It’s important your compliance and data officers understand regulatory requirements including when, where and how to report them. Failure to comply with regulations can result in hefty fines and other legal penalties.

What your cyber crisis communication plan should look like (And how to get one)

A cyber crisis communication plan typically dovetails with a broader cyber crisis management plan. These plans cover the full business response to a crisis and outline the who, what, where, when, and how of incident remediation. A strong communication plan built in tandem with a broader crisis plan will better enable a swift response.

In our experience, the most successful plans have templates and outlines for all potential communication scenarios during a crisis, including cross-team alerts and holding statements for various stakeholders. Templates and pre-defined holding statements maintain consistency and free up time for your team to focus on solving the crisis.

A solid cyber crisis communication plan will also:

  • Provide information to your stakeholders in a consistent, understandable, and knowledgeable way
  • Control speculation and include what you don’t yet know about the incident each time you communicate
  • Reinforce messaging by providing regular updates at preidentified times and on preidentified channels
  • Give you an opportunity to reinforce your mission, vision, and values by living them when you experience your worst day

With a well-developed cyber crisis communication plan, your team members can concentrate on executing impactful actions, paving the way for faster remediation, ultimately helping you preserve your reputation, retain customers and get back to business quickly.

X-Force Security Consultants lead clients through workshops to develop complete, business-wide plans every day. Schedule a consult to learn more through the IBM X-Force Scheduler.

More from Defensive Security

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today