How can you ensure stakeholders are informed of security incidents?

In my experience having a tested Cybersecurity Incident Plan is always helpful. Its important to carry out tabletop exercises with Senior Management at least once a year. This gives them a first hand practical view on what to expect when an incident occurs. That said, it is vital that the communication framework in the incident plan is reviewed regularly to ensure the contact details are up to date. This is establishes the process through which the various stakeholders will be informed when an incident occurs.

The task should start much early in the cycle with identification of the various stakeholders, drill & simulation exercises at least yearly and having appropriate templates of communication to avoid data fatigues or too less for meaningful response. However, key in case of an identified incident is to avoid emotions and run the show with confidence and regular updates. Regular cadences with resolver teams and war rooms for critical incidents helps to strengthen the communication as well as provide real time updates.

Formulating a communication matrix that maps all essential stakeholders to assets and severity ratings would be a fundamental step in identifying and improving collaboration amongst stakeholders especially during an impactful security incident. Conduct a regular review of said document to ensure timely housekeeping. Incorporate this matrix in a table top exercise would be most helpful in maintaining resilience and better improve trust amongst the stakeholders.

Ensure your company has a well defined RACI matrix that clearly sets out the responsibilities - especially those of CEO, chairperson and board.

I have found over the years that companies are reluctant to report cyber incidents due to fear of reputational damaged, lengthy investigations and low outcome rates of investigations. Companies need to feel confident to report incidents to agencies so a full picture of what is going on is available. We try to educate companies about the benefits of reporting and explain how to deal with negative issues making them positives.

When communicating a security incident, it's key to pick the right channels for each stakeholder. For management, direct methods like emails, calls, or video conferences are best for privacy and detailed discussions. For customers, use accessible platforms like webinars, newsletters, or social media, fostering interaction and reach. Media should be addressed through press releases, blogs, or podcasts, ensuring a wide and controlled reach. For employees, internal channels like intranet, bulletin boards, or town hall meetings are ideal for consistent messaging and community building. Prioritize the security of these channels and have backup options to tackle disruptions, ensuring secure, efficient information flow to all groups.

Once the RACI chart outlining roles and responsibilities in incident response is developed, the next step is establishing effective communication channels for each stakeholder group. The ticketing system is the central communication hub, maintaining a single information point. From there, delivery channels can be defined, including email, phone calls, internal platforms, or face-to-face meetings for sensitive issues, tailored to management, customers, response teams, and other organizational units. Platforms like Slack or Microsoft Teams are valuable for real-time updates, coordinating responses, and sharing feedback.

Create Call Tree that includes backup person's phone number too. You may need to use different channels for different stakeholders, depending on their preferences, expectations, and accessibility. For example, you may use email, phone, or video conferencing for your management, webinars, newsletters, or social media for your customers, press releases, blogs, or podcasts for your media, and intranet, bulletin boards, or town hall meetings for your employees. You should also consider the security and reliability of your communication channels, and have backup options in case of disruptions.

Many security incidents require some level of communication with different Stakeholder, and any incident response communication plan should account for this. Regular meetings help ensure that everyone is on the same page and that the incident response team is aware of any changes to the organization’s infrastructure. Establish communication channels that are reliable and secure. This could include email, phone, or messaging apps

The right channels are critical. So is the information provided; clear,accurate and timely. As with everything practice makes perfect or at least better. Having a plan for communication and action, helps overcome the initial shock and disbelief.

It’s important to have communication templates with clearly defined channels in place, as everyone is usually running around to fix things when there is any cyber security incident. Having this ready makes it easy to ensure that this critical aspect of informing stakeholders is not missed or pushed away for later. Delays in communicating information to stakeholders can have a huge impact for the teams involved, after the dust settles down.

Scale your teams ability to execute by using incident orchestration and communications management platforms. This brings paper IR plans to life and enables applied use.

Communication templates are a proactive measure that ensures timely and consistent messaging during a security incident. It's crucial to consider the use of automation tools for distributing these messages to streamline the process and ensure no stakeholder is overlooked. Additionally, incorporating feedback loops within the communication templates can help in gathering quick responses and gauging stakeholder sentiment, which is vital for continuous improvement in incident response strategies.

Creating communication templates requires close collaboration among public relations, legal affairs and cybersecurity professionals within the affected entity. GDPR Article 33 mandates notifying the supervisory authority in the event of a data breach, in 72 hours after becoming aware of it, adding pressure. Post-notification, public concern about the breach's extent rises. To address this within the 72-hour window, pre-drafted communication templates for media and data owners are essential. Tabletop exercises, based on breach scenarios, ensure readiness, minimizing stress during the critical period.

Em processo de resposta a incidentes ter definidos diferentes modelos de comunica??o é importante, manter um formato consistente e adequado a cada contexto/cenário/partes interessadas, permite uma comunica??o assertiva. Neste formato de comunica??o considere: - Resumo sobre o incidente; - A??es realizadas; - Tenha empatia; - Adote uma postura de responsabilidade e comprometimento em resolver o problema.

As it is with any process, all the planning and templates, etc. is of no relevance if when required, a company fails to execute these plans. An assigned "champion" responsible for implementation and execution of the communication must be empowered and mobilized.

Timely and transparent communication is crucial to maintain trust and manage the situation effectively. Utilizing innovative tools like automated alerting systems can ensure rapid dissemination of information. Additionally, integrating incident response platforms with communication tools can streamline updates and feedback loops, ensuring stakeholders are kept informed with the latest developments in a security incident. This approach not only demonstrates professionalism but also reinforces the organization's commitment to security and responsiveness.

Execute the plan for communicating with stakeholders. This will help ensure that the right information is communicated in a timely manner. When communicating with stakeholders, follow the transparency, accuracy, timeliness, and empathy. Help to provide the clear and concise information, and address any concerns promptly.

Conducting an incident response drill helps evaluate the effectiveness of the designed and defined communication plan. During an actual incident, quickly assess the severity to determine the appropriate level of communication required. Utilize your prepared templates and define the messaging based on the specifics of the incident. Ensure that all communications are clear, concise, and accurate to prevent the spread of misinformation. Regular drills and assessments help refine the process, ensuring stakeholders receive the necessary information promptly during an actual event.

Develop a comprehensive communication plan that outlines the procedures to follow when a security incident occurs. This plan should include a list of stakeholders, their contact information, and the appropriate channels for communication.

Conducting drills is crucial to assess the effectiveness of your communication strategy. Seek feedback from the stakeholders to identify areas for improvement. Maintain version control of all templates to ensure updates are tracked and consistent. Implement a scoring system to evaluate the effectiveness of each communication stage, helping refine the process and enhance overall performance.

Clearly identify and document the key stakeholders who need to be informed in the event of a security incident. Determine the appropriate communication channels for different stakeholders(Email,Call,Incident response System). Classify security incidents based on severity levels to prioritize communication efforts. Keep stakeholders informed with timely updates throughout the incident response process. Conduct a post-incident analysis to evaluate the effectiveness of the communication plan. Identify areas for improvement and update the plan accordingly.

On the evaluation side of the communication plan, is very important to train the communication team on how to deliver difficult messages and handle Q&A. Conduct incident simulations to ensure all people involved know how to act and communicate effectively in the event of a real incident.

Controle de danos é o objetivo de monitorar a sua comunica??o. Qualquer empresa, quer preservar sua imagem e ao mesmo tempo estar atenta. Em épocas de redes sociais o ruído gerado por uma comunica??o inadequada é muito pior do que o dano causado. A cada evento melhorias devem ser realizadas, n?o existe uma varinha mágica, o que existe é ter clareza nas comunica??es de forma transparente.

Love the feedback even the worst. This is where you learn. Every feedback reflects a frustration or a satisfaction and the latest are less but also valuable

The key is to speak the language of the stakeholder. If you are communicating with IT example, your communication should be focused on the exact technical actions required from their side. When communicating with business clear business impact should be shared and technical jargon shoild be avoided. For executives, the message should be simple and clear focused on the business and outlining any required support/decision

Effective comunication plan as part of Incident and crisis management is the best way . However , practice and simulations are very crucial to ensure effectiveness and people awareness / readiness.

Table top exercise with realistic scenario will test the strength and completeness of the plans. Theory is good but real emotions at a simulation will fill up the gaps and tiny details that can make a difference

One critical aspect not covered in the previous sections is the importance of conducting tabletop exercises. These simulated security incidents provide a practical framework for testing the effectiveness of the communication plan. They help in identifying potential gaps in stakeholder identification, message clarity, and channel effectiveness. Furthermore, such exercises enhance the readiness of the team and can significantly improve actual incident response and communication efficiency.

Automate this messaging in my company's ACIRM+. Everytime there is an incident or the type of incident they want to know about, the leaders are automatically notified and the notification is logged in an audit log field. They can also be automatically notified if some threshold is missed, for example, if a key date was missed. In our system, leadership can look at any time and see the status of a response, generate performance reports and more.