Many organizations find themselves questioning when it is appropriate to alert the public about a potential data breach. I think most of us have seen this play out in the news. Alerts are often confusing, incomplete, and have most of us wondering what the best next steps are to protect ourselves.
Without having all of the details, or even confirming the scope and severity of the event itself, organizations jump the gun and make a public announcement about a potential cyber event. What often ensues is a series of follow-up announcements, making the public distrust the organization's handle on the situation and ability to respond appropriately. These organizations often have the best intentions in wanting to make a speedy response. Wanting to inform those affected in a spirit of full disclosure, they fail to fully investigate the event (and the damages) and give an inaccurate or incomplete rendering of events.
Communication within the Organization
Internal communication channels and clear protocols for escalating cyber events can help organizations determine when it is best to alert the media about a breach. Establishing communication channels, specifying roles and main points of contact, and developing a plan as to what organizations should be alerted and in what order should all be addressed and well recorded prior to an attack happening.
Incident response teams are responsible for communicating with internal stakeholders, external stakeholders, law enforcement, the media, incident reporting organizations, and those impacted externally as a result of the breach. These teams may also be responsible for coordinating with external experts tasked with assessing the scope, severity, and cause of a particular breach, as well as mitigation and containment efforts.
Communication with the Media
Media communications need to be informed by organizational media and disclosure policies. Even if an event is out of the ordinary, following established protocols is always going to be in the best interest of the affected organization.
Ideally, a singular senior executive should be responsible for all media communications to avoid mixed messages and incorrect information as a result of having several individuals trying to convey different aspects of the situation. Identifying a singular backup point of contact may be helpful depending on the size of the organization, but keeping communication with the media as clear, concise, and accurate as possible is always the objective.
Communication with Others
If an organization is required to contact customers or clients on a large scale, it is important that all employees receive training as to what a proper response should be and what information can be shared. This clear communication requires contacting the appropriate internal and external parties prior to making any statements.
As with media communications, communication with law enforcement should be prepared for in advance. Establishing what type of information will be shared, designating a primary point of contact, evidence collection methods, and understanding reporting procedures are best documented prior to an event occurring. Similarly, incident response teams are responsible for handling reporting to incident reporting organizations and for being aware of pertinent legal obligations and deadlines.
External impacted parties can vary depending on the type and scope of the attack and may include investors, vendors, customers, clients, and any other party that has had their data compromised. As with the other areas of communication for which incident response teams are responsible, communication needs to be as clear and correct as possible. Additional legal consequences may result from incorrect or frequently amended reporting. Prompt notification is as important as an accurate notification; preparation in incident response is critical in orchestrating any response.
Effectively planned communication channels can assist in easing the operational, reputational, and legal risks imposed by cyber events and may even be critical in mitigating damage. A clear and comprehensive response conducted by a prearranged team lessens the kind of chaos that frequently follows in the wake of an attack or breach. Additionally, external and media communication can only be effective if internal employees are kept aware of their responsibilities when it comes to relaying information.
While not every employee needs to be kept abreast of each and every detail pertaining to a cyber event, upper management and senior-level executives must set clear expectations for training and employee awareness. If employee information is also compromised as a result of a breach, they must be provided with information about what has been potentially compromised and mitigation steps. Preparation in cyber security is absolutely critical when it comes to responding to and mitigating the immediate and ongoing damages associated with cyber attacks and breaches.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.