Why it matters
When you're in the midst of an incident, it's a natural reaction to try to close off from the world. From the incidents we see at CERT NZ, we know that this can often put you in a worse position.
Communication, whether it's with your staff, your customers, or the public at large is a big part of a well-managed incident. Knowing what to say and when to say it can make a big difference to the perception of how well your incident is managed.
Communicating in a cyber security incident is similar to communicating in a natural disaster, but with an additional challenge – everyday New Zealanders have limited knowledge about how cyber security issues happen and what it means for them.
We need to:
- educate people about what the issue is
- help them understand what it means for them, and
- let them know what actions they can take to keep themselves safe.
How to communicate
Consult the CERT NZ framework or your incident response plan
CERT NZ has developed the CERT NZ Incident Communications Framework – it’s designed to be used by any organisation during a cyber incident. It can help you with:
- what steps to take
- when to communicate to customers, clients, and other stakeholders, without creating panic or stress.
It can be added to any existing incident response plan as the communications section.
CERT NZ Incident Communications Framework
Creating an incident response plan
Get clear on the details
Try to get as much information as possible and ask lots of questions to make sure you understand the issue. If you don't understand anything, stop and ask questions, rather than trying to figure it out later.
There may be areas of the incident that aren't known yet, or not all aspects of the incident will be known when you first start communicating.
Decide who you need to tell
There will be lots of different people who will have a stake in the incident you're experiencing. This might include:
- staff
- customers
- your board
- investors
- the general public
- the media.
Make a list of everyone who might need or want information from you about the incident and what they might need to know. Different groups will need different information – what you tell your staff is likely to be different from what you tell your customers, because they need to do different things.
Consider what effect any public communication you do will have on your stakeholders and on the people behind the attack.
Create your key messages
Create some key messages – these are the main points of the incident and the things you're doing to respond to it.
Your key messages should include:
- what's happened
- when it happened
- what your next steps are.
It's ok if you don't know all of this information right away. If there are gaps in the information about the incident, let people know that you're investigating and that you'll update them when you have more information available.
You can adapt your key messages to suit each audience.
For example your employees will need to know:
- how this will impact their work
- if they need to change the way they're working – don't keep putting data in a system that's had a breach
- what they can tell the customers if they get questions.
Your customers will need to know:
- how this will impact them
- what you will do about it, and
- how they can know if they are affected
Sometimes it can be helpful to point to an authority on a subject when you're describing a complex issue – they've often done the hard work for you. Our information on common threats might be a useful starting point.
Common risks and threats for business
Choose your communication channels
The channels you use to communicate about the incident should be accessible and logical. If your usual channels have been affected by the incident, you'll need to find different ways to communicate. For example, if your network or email is compromised, you won't be able to email information to your employees.
Adapt your key messages to work in different channels. For example, have a short message on social media, linking to the full information on your website.