What do you mean we can’t reach our employees?

The Communication Plan is crucial for effectively managing and responding to cybersecurity incidents of all types while minimizing their impact on an organization’s reputation, operations, and stakeholders. The plan outlines the steps to be taken when a cyber incident occurs and ensures consistent, clear, and timely communication with all the key stakeholders. Here are 18 key requirements for a comprehensive Cyber Incident Communication Plan:

1.  Define Clear Objectives and Goals

Define the purpose of the Communication Plan as part of the Indicident Response Plan. Outline the primary objectives.  This can include items like minimizing damage, informing stakeholders and setting expectations, instructing stakeholders on what to do and what not to do, instructing stakeholders on how to continue business operations during this period, and maintaining transparency.  Be sure to include how to get more answers or help.

2.  Designated Business Continuity Communication Team

Identify a team responsible for managing communication during a cyber event. This team should consist of representatives from across your organization and include IT, Legal, Public Relations, senior management, and other relevant departments.  This team should be empowered to be responsible to manage and execute the Communication Plan in the event of a cyber incident.  This team should be the individuals that ultimately trigger communication, using appropriate tools, with all stakeholders.

3.  Define Roles and Responsibilities

Clearly define the roles and responsibilities of each team member involved in communication. This helps ensure a coordinated response, efficient decision-making, and eliminates duplication and redundancy.  The roles and responsibilities of each team member will likely vary based on their departmental expertise, skill set, and area of focus during the crisis.

4.  Incident Categorization and Notification Levels

Classify cyber incidents based on type, severity and impact. Establish notification levels that trigger specific communication actions defined in the Plan. This helps determine when to escalate communication to higher level management and stakeholders, and defines the type (method and content) of communication to take place.  For example, a ransomware cyber indicent may require that all employees be notified immediately through digital mechanisms like SMS/MMS text, WhatsApp, or even personal email.  Their instructions may include details of what systems they should connect to and those they should not, and who to contact for help.  This can limit the spread of the ransomware infection and impact, and can help keep a business operational, while it works to combat and eliminate the ransomware.  Compare that to a System Down situation due to an upgrade that went awry or caused a subsequent related issue.  Here you may want to simply send out a company email notification with instructions and updates on expected ETA for correction.  Both are valid cyber incident situations but need completely different responses.

5.  Identify all Stakeholders and their Contact Information before a Cyber Incident

Identify the various stakeholders, both internal (employees, executives, departments) and external (customers, partners, suppliers, regulators), who need to be informed during an incident before the incident occurs.  It is absolutely critical that all of your stakeholders are loaded into your contact tools including their work and personal email, mobile phone number(s), WhatsApp numbers, etc. before a cyber incident.  All too often, people are left scrambling to call individual stakeholders, or looking for their contact details after an incident occurs.  Every minute that goes by where a stakeholder hasn’t been made aware of the cyber incident costs your company money and can promote the spread of a malware virus or expand the reach of a ransomware infection.

6.  Contact Lists and Communication Channels

In addition to pre-loading all contact information for all stakeholders be sure to identify the primary and alternate methods of communication.  As mentioned above, this includes phone numbers (mobile and landline), email addresses (work and personal), and alternative methods and alternative individuals. This could also include websites, social media and other forms of notification and communication.

7.  Personalized Message Development

Prepare templates with key message points for various scenarios, ensuring accuracy and clarity.  Include all types of content including documents, video’s, graphics, images and text in order to communicate clear and complete instructions.  Provide appropriate links to “safehouse vaults” in order to continue to conduct business with explicit instructions on how to connect using approved hardware and methods.  Develop messages that address the incident’s impact, actions being taken, preventive measures, and set expectations of what to expect next.

Messages may be a series of communications that provide deeper level instructions, or status updates, etc.  This enables a company to continue to reassure employees, customers and other stakeholders that you are working on the situation and we haven’t forgotten about them.  It can also be concluded with a communication that indicates an “all clear” and to resume normal business operations.

8.  Legal and Regulatory Compliance

It is essential that all communication aligns with legal and regulatory requirements. Consulting with legal experts ahead of time to avoid inadvertently disclosing sensitive information, and ensuring compliance with regulations while not creating overreaction by outside organizations (i.e. media), is essential.  Be sure to walk through each type of cyber event and the communication messages with legal in order to ensure compliance.

9.  Communication Timelines

Establish and define specific timeframes for initial alerts, updates, and resolution notifications. Timely communication helps manage expectations, belay fears and maintain transparency with your stakeholders.  Depending on the type of cyber event, this can be critical to effectively managing the crisis, versus having chaos and confusion.

10. Internal Communication Strategy

Perhaps the most important communication in your Plan is to identify how you will communicate within your organization. While with a “system down or unavailable” situation this may be minor, a full blown malware or ransomware attack makes this a critical step. Informing employees about what to do and critically, what not to do during a cyber attack can keep your business operational.  Ensuring the alignment of departments, and providing them with guidance on their roles during the incident, ensure that you continue smooth, albeit disturbed, operations until you can return to normal operations.

11. External Communication Strategy

Detail how you will communicate with all appropriate external stakeholders. This could include customers, partners, agents, brokers, or suppliers. It will also include media.   Providing appropriate communication on what you’re doing to address the issue, when to expect correction or further communications, and how to continue to do business with you will address their concerns and convey accurate, timely information.  Managing media inquiries or notifications at the right time can allay concerns and show that the issue is under control and being handled professionally.

12. Media Relations Plan

If appropriate, having a Media Relations Plan as part of your Communications Plan is important.  Be sure to prepare strategies for dealing with the media. Designate a spokesperson and provide them with media training to ensure consistent, controlled, and appropriate messaging.  Deliver appropriate content to the media to convey that the situation is under control and is being addressed while showing that business operations are continuing.

13. Social Media Management

Define guidelines for managing social media channels during the incident. Determine who on the Cyber Response Team will be responsible for monitoring social media, responding to comments, providing updates, and addressing misinformation.

14. Post-Incident Communication

In addition to providing updates, delivering the Post-Incident Communication is critical to return to normal operations.  Once the incident is resolved, notify and instruct all stakeholders on the resolution and what they should now do to resume normal operations.  In addition, follow on communications can take place including sharing lessons learned, actions taken to prevent future incidents, and any necessary updates.

15. Escalation Procedures and Help

Define clear escalation paths for incidents that require higher-level management or executive involvement in the Communication Plan. This ensures timely decision-making and communication.  In addition, include in your communications to your stakeholders, clear contact information for individual escalation and where to go for help.

16. Simulation and Testing

A key and critical element of your Communication Plan and your entire Cyber Incident Response Plan is regular simulation and testing.  Exercising each cyber event scenario and testing the Communication Plan is critical to ensuring its effectiveness, identifying and correcting shortcomings and ensuring team readiness.

17. Ensure Continuous Improvement

As part of your Cyber Incident Response Plan, after each cyber incident, conduct a thorough review of the response process including the communication plan and processes. Identify areas for improvement and update the plan accordingly.

18. Training and Awareness

A crucial element of your Cyber Incident Response Plan and Communication Plan is to train employees and relevant stakeholders on their roles and responsibilities during a cyber event.  Ensuring your internal and even potentially external stakeholders know what to do and what to expect in a cyber event helps create a culture of cybersecurity awareness to minimize the risk of incidents, and their impact.

Each company’s Communication Plan should be tailored to its specific needs, industry, and risk profile. Regularly updating and performing Tabletop exercises to simulate and test the plan will help your organization effectively respond to and recover from cyber events, minimize their impact to your business operations, while maintaining trust and transparency.