Cybersecurity Incident Response: Not Just an IT Problem

By Dan Brennan, SVP, Technology

There’s a good reason cybersecurity insurance exists. The volume, frequency and persistence of attacks continues to escalate. The attacker you blocked yesterday is trying something new (and unanticipated) today. Data breaches are becoming nearly inevitable because of this, it’s sad to say.

The truth is an insurance payout following a data breach can’t make your brand whole again — no matter the size of the policy. But the way you communicate during and after — the pace, the channels, the transparency of your security incident response — can.

That said, operational recovery for a security incident is staggering, stressful and all-consuming. This can lead to communications being lower on the priority list and to poor decisions that compound the problem. That’s why preparedness in the event of an incident is the only recipe for success. Here are key considerations for cybersecurity incident response and communications strategy.

Who needs to be involved in a security incident response plan

Too many cooks can impact pace and create indecisiveness. These can be costly factors during a security incident. It’s important at the outset to identify and notify the key participants within the business that will be involved in the strategy and communications. This will vary. For example, if the company is public, members of the IR, legal and regulatory teams need a seat at the table.

Map out a step-by-step timeline outlining who to involve, what decisions they can make, when they should be brought in, and what their role is when it comes to the rollout of the plan itself.

Communicating what you know vs. what you think you know

Facts are important. During a data breach there’s no room for speculation. If you don’t know for sure, don’t communicate it. You’ve already lost equity with clients and partners. Reporting inaccurate information kills any credibility you had left. Don’t stray from what you know and manage audience expectations appropriately.

Who needs to know and how should it be communicated

Do we need to issue a public statement? If a breach only impacts a small group of the client base, do all clients need to be alerted? If we discovered a vulnerability, but can’t say for sure if anything was taken, do we need to communicate it? It depends.

Each situation is unique, and each cybersecurity incident response approach needs to be tailored to the situation. There are no hard rules on who needs to know and who doesn’t, but it’s an important discussion as you play out various scenarios in your strategy.

There’s one key consideration when thinking about how information is communicated: consistency. This is incredibly important to avoid confusion and inaccuracy. Consider creating a single point of truth where information will be communicated. Guide people to that resource to ensure that everyone gets the same information. Sure, there will be personal conversations that need to happen and there will be people within your business that will likely go rogue. Expect and plan for it. Anticipate that anything shared in a digital channel can (and will) be broadcast to the world.

How often should you communicate?

Frequency is equally important. More frequent communications tend to help reestablish trust if the information is relevant and new. At the very least, it’s important to set expectations around this. Tell your audience how often they should expect to hear from you and always deliver on your promise. If you are going to stop (or slow) communications about the incident, be transparent about that as well.

As the attack surface for businesses (and threat actors) continues to expand, it’s important for business leaders to broaden their thinking beyond the IT implications of a cybersecurity event. Communications needs to play a key (and leading) role regardless of if you are a startup or established brand. These business considerations merely scratch the surface of what’s relevant and important but can serve as a guidepost as business leaders evaluate a plan for a possible future data breach.

If you’re interested in how this impacts cybersecurity vendors, read our blog on cybsecurity PR and marketing.

Ready to Work Together?

We're Ready