Communication During Incident Response

Communication During Incident Response

When a cybersecurity incident occurs, it poses a direct threat to your organization’s business continuity. In a crisis, you cannot let your efforts go haywire due to lack of planning and practice. Once your security team detects an incident, communication between interested parties plays a crucial role in executing your incident response plan. Clearly defined communication protocols and procedures help your incident response team to better prepare for real-life incidents. Having ambiguity in your response plan directly increases the mitigation time. For sure, this will not be a favorable situation for any business. Swift incident response ensures that your business operations will be back as usual, and your security team has been able to minimize the damages.  

Communication During an Incident: What and Why 

In plain language, alerting the interested parties about a security incident is incident communication. For services that are expected to run 24/7, streamlined communication with stakeholders helps in quicker decision-making. So often, organizations misinterpret incident communication as sending bulk emails while that is not the case. Organizations have different sets of audiences: shareholders, top management, customers, suppliers, employees, etc. For example, you cannot send an email meant for shareholders to your customers. 

So often, our experts have come across incident response plans that only address technical issues such as investigation, evidence gathering, containment, and recovery. Such incident response plans clearly miss out on communication. An unexpected security incident shall not turn into a business nightmare.


With LIFARS on retainer, a cybersecurity incident or a data breach will be handled with the highest priority under strict SLAs. Have your own Computer Security Incident Response Team on call and ready for deployment as your private 911 cyber-emergency. Repurpose unused hours for one of our proactive or advisory services and strengthen your security posture to make the most of your investment. To know more about LIFARS Incident Response Retainer service, click here. 


Whom do you need to communicate with: internal and external parties? 

There is a clear bifurcation between the parties you need to communicate with during an incident. However, your communication strategy must find a balance between disclosure and protection. Excessive sharing of information may allow exposure of an existing weakness. On the other hand, withholding information can give the impression that you have something to hide. During a security incident, an organization should follow basic crisis management guidelines such as: 

  1. Do not deny it. Acknowledge that there is a problem and control your message. 
  2. Carefully put together facts and convey them without using complicated language. 
  3. Designate a trusted professional as the spokesperson and ensure that they answer the queries regularly. 
  4. Use dignified yet jargon-free language in a serious tone. 
  5. Do not continue to react defensively. Switch to the offensive mode by addressing the loopholes and prevent recurrence of the same incident. 

Internal Parties 

As far as internal communication is concerned, your incident response plan should define roles and responsibilities. Depending on an individual’s access level, your incident response team should share the required information. At the same time, your internal communication should mention that the information contained is confidential and must not be disclosed. Unnecessary or inadvertent disclosure of confidential information can result in negative publicity as well as regulatory proceedings. 

External Parties 

External communication will cover regulatory authorities, customers, and media agencies. Depending on your location and applicable laws, your organization may have an obligation to report data breaches and other security incidents to the concerned authorities/law enforcement agencies. Your incident response plan should assign this responsibility to an individual who understands your organization’s responsibilities, and at the same time, has experience of communicating with authorities. 

Media relations will play a crucial role when it comes to responding queries from media agencies about the ongoing incident. In one of our previous articles, we mentioned that your incident response team should include a representative from the marketing/public relationship team. They will be involved right from the beginning and will have detailed insights into what is happening. A technical expert may help them in ensuring that media queries are answered in plain and understandable language. There are plenty of examples when it comes to a statement getting reported partially, and certain bites are taken out of context. This may result in more damage than the incident itself. Some of the questions that you should expect are: 

  • Why has this happened? 
  • Was the attacker able to access sensitive information? 
  • How many individuals are affected? 
  • Have you been able to identify the attackers? 
  • When did the organization find out? 
  • Is an employee responsible for this? 

Irrespective of whether applicable laws require this or not, you may need to explain to your customers about the incident, how it affects them, and whether it impacts their PII. As a recommendation, your incident response should prepare ready-to-use communication templates. An ongoing crisis is not the best time for crafting a thoughtful notification message for your valuable customers. 

Best practices for communicating during an incident 

  1. Formalize the activation team process: When an incident occurs, the first communication takes at the stage when your organization brings the incident response team in motion. If you have a full-fledged SOC in place, they must check whether an event requires the activation of the incident response team. 
  2. Have a dedicated point of contact for all external communication: Your organization is likely to be flooded with questions and queries from external stakeholders. Instead of your technical personnel answering them, designate a marketing/PR executive as a point of contact, as we discussed in the last section. A coordinated response will minimize the chances of false news and misinterpretation. 
  3. Have a designated role for compliance-related obligations: Non-compliance with regulatory requirements can be a problematic situation. Disclosure of data breach, involving law enforcement agencies, and informing the affected parties are some of the activities that are time-bound. Missing the specified time frames can effectively increase your legal costs. 
  4. Communication templates: As we have seen over the course of this article, your incident response team will communicate with various stakeholders immediately after the incident as well as during the mitigation process. Instead of drafting emails and messages in a time-critical situation, our experts recommend preparing message templates beforehand. Tone, frequency, and quality of these messages invariably affect the public perception of a security incident and your organization’s reputation. 

Ending notes 

A well-planned incident response plan will result in positive post-incident results for your organization. Communication during incident response neither fails nor succeeds; it is either effective or ineffective. A well-prepared plan will earn accolades from the stakeholders while having no or poorly planned incident response strategy will lead you to fight a never-ending uphill battle.