THANK YOU FOR SUBSCRIBING
Every day as CISOs, we see yet another organisation in the news for being breached and their data sprayed across dump sites. For me, as CISO, it’s a nightmare scenario. On many occasions, seeing these examples leads me to consider what can we do differently, could this attack have succeeded on us, are our plans in the right shape, and do we have the proper controls in place?
Over the years, I have learned many vital lessons, and for me, the most important breach response tool we have in our arsenal is communications. There are many approaches to technically managing a breach due to the high number of variables of how, what, and sometimes why a breach has occurred. However, the one constant across all serious incidents is how you need to communicate clearly and concisely to all of your stakeholders.
Communication is the key to ensuring all of your stakeholders remain as calm as possible, respond most effectively, and be reassured that you ‘have got this.’
When I read breach notifications, more often than not, I come away with more questions than when I started. For most people, there is an underlying desire to know, “How does this affect me?” or “is my data safe” and these are key messages for me to include in order to reduce a stakeholder’s anxiety.
“Communication is the key to ensuring all of your stakeholders remain as calm as possible, respond most effectively, and be reassured that you ‘have got this’”
Developing a good communications plan involves many key steps, regardless of the industry. Here are my top five tips for better communications for surviving a breach:
• Brief your stakeholders:
• Have your senior stakeholders’ phone numbers on your phone.
• Also, have the phone number of the support staff for your senior stakeholders. If you can’t reach them, the support staff will know how to reach them.
• Have alternate email addresses for all of your stakeholders.
• In case the organisation’s email services are not operational.
• Refresh the stakeholder list quarterly as part of your incident response preparation.
• Prepare a list of key external suppliers to contact them via email.
• Also, keep this confidential as it is a valuable list to an attacker.
• Practice briefing your stakeholders in person or over video (It’s harder than you realise).
• Practice writing communications:
• Practice issuing communications to all of your stakeholders in your cyber drills.
• Bring in external expertise to train the response team and your own communications people in crisis communications.
• Define what is appropriate information to release prior to an incident:
• What is appropriate to share during an incident?
• Have your Legal team review all information.
• Understand what your authority is to answer questions (internally & externally).
• Have a base template of initial communications drafted that can be easily tailored and issued quickly, i.e., often citing ‘technical difficulties’ and that you can provide more context when you know more about the breach.
• Develop a Communications Management Plan, including:
• Cadence of communications to each stakeholder type;
• The approval process for all communications; and
• The level of information allowed to be shared with that stakeholder type.
• Practice managing long-running incidents in your cyber drills:
• Many breaches will run for days and months; retrospective communications need to be accurate, i.e.:
• Who will maintain the incident log?
• Where will the incident log be stored?
• Is the incident log storage secure from any attacker?
This is by no means a complete list. However, they are the things I have learned in 22 years of Cyber Security and running many serious incidents, which have made my life easier.