Cybersecurity incidents require careful coordination between the incident response team and a variety of internal and external stakeholders. An incident response communication plan is a crucial component of an organization's broader incident response plan that provides guidance and direction to these communication efforts. As with other elements of the incident response plan, organizations should develop their communication plan in a calm period to enable sound decision-making instead of attempting good decisions during the high-pressure environment surrounding a security incident.
Let's take a look at five actions you can take to ensure that your incident communication plan is as effective as possible.
1. Formalize the incident response team activation process
The first crucial communication that takes place in the wake of a security incident is the activation of the incident response team. Any employee suspecting a security incident should contact the organization's security operations center (SOC) or other designated 24x7 monitoring point. The SOC should follow a standard triage process to determine whether the event warrants the activation of the full incident response team.
In cases where the SOC determines that team activation is required, time is of the essence. Organizations should consider adopting an alerting mechanism such as PagerDuty or Opsgenie. These tools manage on-call schedules, trigger alerts through multiple communication channels and provide responder status information. Offloading these tasks to a dedicated platform reduces the burden on SOC analysts and increases the speed of convening the incident response team.
2. Designate a point person for external communication
As soon as word leaks of a security incident, external stakeholders will begin clamoring for information. The incident response team will be bombarded by requests from customers, the media, regulators and other stakeholders. Crisis communication requires a coordinated response to control rumors and ensure the organization presents a consistent message across communication channels.
Organizations should create a communication role on their incident response team to provide this consistent and coordinated view of the incident to external stakeholders. This person may not be a deeply technical team member but should have enough familiarity with technical concepts to serve as both a translator and filter for the technical information emerging from the response team.
3. Create criteria for law enforcement involvement
Two of the most crucial decisions facing an incident response team is whether it is appropriate to involve law enforcement and when that notification should take place. These are difficult decisions because law enforcement involvement often changes the nature of an investigation and increases the likelihood of public attention. On the other hand, law enforcement personnel have access to investigative tools, such as search warrants, that are unavailable to internal teams.
Incident response communication plans should address this quandary by outlining clear criteria for when the team should notify law enforcement. The plan should also identify who on the team has the authority to make that determination and what internal notifications should take place prior to involving law enforcement. For example, the team should likely consult with both executive leadership and legal counsel prior to involving the authorities.
4. Develop communication templates for customer outreach
Many security incidents require some level of communication with customers or the general public and an incident response communication plan should account for this. This might be a required notification in the wake of an unauthorized release of personally identifiable information or it might be an explanation to customers of a service disruption. The frequency, quality and content of these communications will have a significant impact on public perception, and these factors work to either limit or magnify the reputational damage associated with a security incident.
That's why communication templates are so critical to an incident response communication plan. They are perhaps the most important tool that a communication planning team can provide to incident responders. It's extremely difficult to craft a thoughtful, careful notification message and many people will want to be involved, ranging from account managers and executives to lawyers and public relations experts. Developing pre-approved templates can clear those hurdles in advance, leaving the incident response team to simply fill in the blanks and tweak template language, as necessary.
5. Monitor social media
Social media is an extremely important channel of communication between many organizations and the general public. Customers are quick to publicly voice their displeasure with an organization by tweeting out a public tongue-lashing. While companies should regularly monitor their social media mentions, this becomes crucially important during a crisis, such as a cyberincident.
Social media feeds can provide the incident response team with a quick read on customer sentiment and serve to trigger rapid intervention if rumors start to spiral out of control. In addition, social media reports may provide the team with important indicators of service performance, information disclosures and other facts that might shape their response priorities.
Rapid and effective communication is an essential component of a strong response to cybersecurity incidents. Solid incident communication plans provide mechanisms for rapidly notifying stakeholders, coordinating internal and external stakeholders and monitoring customer sentiment. These tools improve the organization's ability to respond and help to minimize reputational damage.