Managing incidents
Te whakawhiti kōrero i tētahi maiki haumarutanga tuihono

Communicating in an online security incident

A major component of an online security issue is how you let people know what’s going on, how it’s affecting your business, and how it could affect them.

Why it matters

When you're in the midst of an incident, it's a natural reaction to try to close off from the world. From the incidents we see at CERT NZ, we know that this can often put you in a worse position.

Communication, whether it's with your staff, your customers, or the public at large is a big part of a well-managed incident. Knowing what to say and when to say it can make a big difference to the perception of how well your incident is managed.

Communicating in a cyber security incident is similar to communicating in a natural disaster, but with an additional challenge – everyday New Zealanders have limited knowledge about how cyber security issues happen and what it means for them.

We need to:

  • educate people about what the issue is
  • help them understand what it means for them, and
  • let them know what actions they can take to keep themselves safe.

How to communicate

  • Consult the CERT NZ framework or your incident response plan

    CERT NZ has developed the CERT NZ Incident Communications Framework – it’s designed to be used by any organisation during a cyber incident. It can help you with: 

    • what steps to take
    • when to communicate to customers, clients, and other stakeholders, without creating panic or stress.

    It can be added to any existing incident response plan as the communications section.

    CERT NZ Incident Communications Framework

    Creating an incident response plan

    Incident response plan template

  • Get clear on the details

    Try to get as much information as possible and ask lots of questions to make sure you understand the issue. If you don't understand anything, stop and ask questions, rather than trying to figure it out later.

    There may be areas of the incident that aren't known yet, or not all aspects of the incident will be known when you first start communicating.

  • Decide who you need to tell

    There will be lots of different people who will have a stake in the incident you're experiencing. This might include:

    • staff
    • customers
    • your board
    • investors
    • the general public
    • the media.

    Make a list of everyone who might need or want information from you about the incident and what they might need to know. Different groups will need different information – what you tell your staff is likely to be different from what you tell your customers, because they need to do different things.

    Consider what effect any public communication you do will have on your stakeholders and on the people behind the attack.

  • Create your key messages

    Create some key messages – these are the main points of the incident and the things you're doing to respond to it.

    Your key messages should include:

    • what's happened
    • when it happened
    • what your next steps are.

    It's ok if you don't know all of this information right away. If there are gaps in the information about the incident, let people know that you're investigating and that you'll update them when you have more information available.

    You can adapt your key messages to suit each audience.

    For example your employees will need to know:

    • how this will impact their work
    • if they need to change the way they're working – don't keep putting data in a system that's had a breach
    • what they can tell the customers if they get questions.

    Your customers will need to know:

    • how this will impact them
    • what you will do about it, and
    • how they can know if they are affected

    Sometimes it can be helpful to point to an authority on a subject when you're describing a complex issue – they've often done the hard work for you. Our information on common threats might be a useful starting point.

    Common risks and threats for business

  • Choose your communication channels

    The channels you use to communicate about the incident should be accessible and logical. If your usual channels have been affected by the incident, you'll need to find different ways to communicate. For example, if your network or email is compromised, you won't be able to email information to your employees.

    Adapt your key messages to work in different channels. For example, have a short message on social media, linking to the full information on your website.

  • Work out your timings

    We recommend you communicate from the inside out – tell your staff and board about it first, then your customers, before the general public or media.

    This ensures your staff will know how to answer any questions they get from your customers. They may also have questions you hadn't considered, giving you a chance to update your messages before you send them out to the public.

    Generally communicating earlier is better – if you've known about an issue for a long time before you tell people, they may wonder what else you aren't saying.

    Consider the time of day, and day of the week you let people know. If it's not urgent and you let everyone know late on a Friday afternoon, people are likely to be unhappy.

    Think about how often you'll update people too – incidents are evolving so you'll need to think about how frequently you need to share updates.

    Consider what effect any public communication will have on your stakeholders and on the people behind the attack.

  • Managing media interest

    Media can be helpful at getting the message out to your customers if you're experiencing a big issue.

    If working with media isn't something you normally do as a business, it can be hard to figure out what you should and shouldn't say, and the best way to work with them. 

    If you're approached and you're not sure what to do, get help from an expert. The Public Relations Institute of New Zealand has a list of public relations professionals that you could engage for help.

    Public Relations Institute

Sometimes, CERT NZ will be asked by media if we’re involved in your incident. Because of the sensitivity of the reports we receive, we do not confirm or deny whether we’re involved with an incident affecting a particular business, organisation or individual (unless the organisations involved consent do us doing so). We will sometimes share general cyber security information with media, for example explaining what ransomware is and how it works, but we don't talk about affected parties.

Get help

Report any incident to CERT NZ as soon as you can so we can give you help and guidance.

Get help now