Networking, Business continuity

Cybersecurity Incident Response: Got A Crisis Communications Plan?

Author: Kevin Rubin, president and CIO, Stratosphere Networks
Author: Kevin Rubin, president and CIO, Stratosphere Networks

In her book “Data Breaches: Crisis and Opportunity” (excerpted here by Informit) Sherri Davidoff describes how Uber got hacked in 2016 and decided to keep the incident quiet. The company’s CEO resigned the following year in response to a scandal unrelated to the data breach, and the new CEO finally issued a statement about the “2016 Data Security Incident” in November 2017.

The revelation that the company had concealed a leak that involved the personal information of hundreds of thousands of drivers and millions of Uber users was met with indignation and class-action lawsuits. Government officials also responded: The state attorney general of Pennsylvania sued the company for violating state data breach notification regulations, and localities including Chicago, Los Angeles and Washington State filed lawsuits as well. Uber’s decision to stay silent about the breach for so long was as much a source of outrage as the incident itself.

Effective communication is essential in any relationship, including the connections formed between companies and their clients. This is especially true in times of crisis, such as in the wake of a cybersecurity incident that exposes your customers’ personal information. Withholding information, sending conflicting messages or failing to adequately answer consumers’ questions following a data breach could have a lasting and disastrous impact on your brand. The Uber incident is just one example of the consequences of not communicating with stakeholders properly following a data breach.

To avoid that kind of catastrophe, you must include crisis communications in your cybersecurity incident response plan. It’s not enough to plan for threat analysis, containment and remediation. You also need to have a comprehensive public relations strategy in place to reassure key stakeholders and preserve your reputation as much as possible.

How to Craft a Cybersecurity Incident Response Crisis Communications Plan

To ensure your brand isn’t tarnished and you don’t lose clients following a security incident, you’ll want to create a thorough crisis communications plan as part of your overall incident response plan. Here are some tips for building a solid strategy.

1. Assemble a crisis response team that represents your entire organization. You’ll want input from not only IT and security experts but also your legal, communications and customer service teams, according to the Kaspersky article “Why now is the right time to plan your incident response communication.” Additionally, everyone should have a clearly defined role (e.g., getting your employees up to speed or informing customers) so they can act ASAP if an incident occurs, according to the Secureworks white paper, “The Criticality of Crisis Communications in a Data Breach Response Plan.

2. Identify internal and external stakeholders you must inform in the event of a data breach. You’ll want to brief your staff members as well as clients, investors, the media and any relevant government agencies on what happened, according to Secureworks. Consider the sort of messaging you’ll leverage for each group and the parts they play in your recovery efforts. Designate a member of your response team to handle communication with each group of stakeholders.

3. Give a detailed explanation of the incident. Your communications about a data breach should offer an in-depth explanation of what occurred, how it affects your stakeholders, and what you’re doing to fix it and ensure it doesn’t happen again, according to Kaspersky. Your security team can provide comprehensive information about incident resolution and damage mitigation efforts.

4. Identify the channels you’ll use to inform each group of stakeholders about the incident. Some options include phone calls, emails or an online announcement, according to Davidoff. Many companies today utilize a hybrid approach that involves sending paper mail and emails to alert affected individuals as well as maintaining an online FAQ and a call center for customers seeking information. If hackers compromise internal email and unified communications, you’ll need an alternative secure method for alerting and informing your employees, such as encrypted messaging, Kaspersky explains. Additionally, crisis communication should be an ongoing process. After the additional notification process, keep your stakeholders updated as new information comes to light, as advised by the Institute for Public Relations article “After Disaster: Five Tips for Handling a Data Breach.

5. Apologize sincerely. Following a security incident, you should issue an earnest apology as soon as possible and show empathy for the people affected by the breach, as well as letting them know what they can do to minimize the damage done to them personally, according to the Institute of Public Relations. Ultimately, it’s possible to bounce back with minimal damage to your brand after a cybersecurity incident – but doing so requires thoughtful planning. Don’t wait until you’re already dealing with a breach to think about crisis communications.

Author Kevin Rubin is president and CIO at Stratosphere Networks. Read more from Stratosphere Networks here.