Managing your message in a cyber incident

Your organisation has been targeted in a ransomware attack. Your systems are impacted, your services are severely disrupted and it appears likely that your customers’ personal information has been compromised. 

​

It’s a nightmare scenario for any organisation, and one which often presents an acute communications challenge. You have a responsibility to inform potentially impacted stakeholders so they can take action to protect themselves against fraud or identity theft. 

​

However, you may know very little about the details of the cyber-attack or the extent of any possible data breach. As the forensic investigation continues, your understanding of what has happened – and what data a threat actor holds – may change significantly over time. 

​

You also face the need to avoid causing unnecessary alarm or panic among your stakeholders, an outcome that could seriously undermine your organisation’s credibility. 

​

So, if you can’t speak in any detail about the cyber incident, what can you say? Here are some guidelines for managing your message in the first stages of a cyber incident response: 

​

Be upfront: State in simple terms what you know about the incident, sticking to the facts you can confirm. Don’t minimize the event, but avoid the kind of colourful language that attracts media headlines.

​

Acknowledge the impact: Those who may be affected, for example, your staff or customers, are likely to be frustrated, anxious or concerned – by acknowledging their situation, you can convey a measure of empathy and concern. Offer an apology, promptly, when it’s warranted. 

​

State what you are doing: Your audiences won’t be aware of the intensity and urgency with which your teams are responding. Spell out the actions you are taking, from working to restore customer services to alerting the authorities and conducting a detailed forensic investigation with the support of cybersecurity experts. Your objective is to reassure stakeholders that you are doing everything possible to protect their interests. 

​

Tell people what they can do: If your stakeholders have concerns about their data security, let them know the steps they can take, for example, being vigilant for unusual online activity. If they have questions, let them know who they can speak to in your organisation, and how your team can be contacted. 

​

Commit to updates: There are very few iron-clad promises you can make in a cyber incident response. For example, you can’t guarantee when you will have services restored or when your investigation will be completed. However, you can guarantee when you will provide the next communications update, be it the next day or the next week. Make sure you stick to that promise, even when there is little new to say – stakeholders want to know you haven’t forgotten them. 

​

The messages you impart and the information you share need to be the same across all audiences and weaved into all your Q&A responses – clear, consistent communications is key to maintaining credibility in any crisis response. ​