ITP Techblog

If you suffer a serious data breach or cyberattack, how you communicate with key stakeholders who are affected can make or break your reputation.

That’s why CERT NZ, the government’s Computer Emergency Response Taskforce, has published Public communications for cyber security incidents: A framework for organisations.

It’s fair to say that the large cybersecurity incidents that have hit organisations across Australasia in recent years, weren’t always accompanied by timely and effective communications. Australian mobile operator Optus in particular came in for intense criticism for its slow and piecemeal communication in the wake of a data breach that exposed the ID numbers of 2.1 million customers.

Customers and partner organisations who may have had data compromised in a breach can rightly feel frustrated and distrustful if adequate information isn’t made available to let them act to reduce the threat of identity theft and other cybercrime.

A step-by-step plan

On the flip side, CEOs and IT managers are often working with incomplete information in the wake of a breach and don’t want to divulge details that could further compromise their organisation’s security.

So how do you navigate the sensitive crisis communications around a cyber event? Start well in advance by creating a Incident Response Plan, CERT NZ advises. This involves “having a step-by-step plan in place before a cyber security incident occurs will help you take control of the situation, navigate your way through and reduce the impact on your business,” according to CERT NZ.

It includes actually understanding what your key cybersecurity risk factors are, the result of undertaking a cybersecurity risk assessment, establishing roles and responsibilities that will kick in when an incident happens, and deciding who will need to be contacted in the case of a serious incident.

“This is the scary part,” CERTNZ acknowledges, “Letting other people know about the incident”.

“Remember, if your clients, users or stakeholders first receive information about the incident via third parties, such as the media, rather than you, they are more likely to be negative towards your message.”

You may be required by law or regulations to report the incident quickly, including to the Privacy Commissioner, who expects you to inform them of a serious incident within 72 hours, and the NZX, which will want to hear about incidents that could have a material impact on the company. The Police will want to know quickly if a crime has been committed and can help you in the incident response phase.

You’ll want to plan to contact your cyber insurance agent as quickly as possible as they may be able to quickly authorise funds to help clean up the problem and can help with communications.

CERT NZ advises appointing a communications lead, who will assume a very important role in times of crisis.

“This person will be the single sign-off point for messages to any internal or external stakeholders, including media and the public. Note that the Comms Lead may still report upwards to a wider leadership team or incident manager, however, they will still be the final touch point for all communications.”

As important as identifying who you need to contact, is establishing in what order stakeholders will be contacted.

CERT NZ - Deciding who to contact and when

CERT NZ’s advice is largely in line with cybersecurity news outlet CSO’s advice on planning how to communicate in the wake of a cyber incident. Simulated scenarios should be practised on a regular basis so that people in the organisation have a chance to run through what happens.

“It’s getting senior leaders sweating in a scenario which walks through a cyberattack, and not necessarily something that fits in with a pre-canned incident response plan,” says Paul Black, a partner in KPMG's forensic services.

Don’t avoid challenging exercises, Black advises. Imagine the worst-case scenarios and get the leadership team practised at knowing what to do. A cursory “insight session” won’t cut it.

Says Black: “That's the worst thing possible because you want people to be put under pressure by running through a scenario in a safe environment. That’s how incidents work, it’s immense pressure.”