How to create a message
This is the scary part: letting other people know about the incident.
Remember, if your clients, users or stakeholders first receive information about the incident via third parties, such as the media, rather than you, they are more likely to be negative towards your message.
Things to consider
When creating the messaging for external communications, you need to cover a lot of points while also being easy to understand and clear about what the next steps are.
- Create a balance between clear information that stakeholders need to know, while also keeping specific information confidential to not entice further attacks.
- Do not say anything you may have to retract later.
- Anything you say to stakeholders has a chance to be reported in the media, consider everything to be public messaging.
- Media may come to you with queries before you have a chance to communicate with stakeholders.
Availability heuristic
The availability heuristic is people’s tendency to act off information that easily comes to mind. In this context, we know that people start taking cyber security more seriously when they hear of an incident.
This can impact your communications as recipients are:
- more likely to take actions on cyber security
- less likely to click links
- more suspicious if the email doesn’t come from a usual source
- likely to try to corroborate via another source.
Resist the urge to create a bespoke email address for the incident. While the message can come from your CEO (or similar), it should be sent out via usual channels.
Balancing the message
While you need to communicate clearly about what happened and will be happening, there is a very real risk that the attacker may use your communications as a signal to start a new phase of the attack or double down on their efforts.
This is where being linked into the technical side of the incident response becomes incredibly important. Early information gathering allows you to craft the proper messages for the situation.
Determine the following information:
The type of incident that has occurred
This gives you a good idea on what the future timeline will look like in terms of resolution and impact on stakeholders. Also, you can decide what level of information to release about the incident.
If the incident is ongoing
You may not be able to say much, and what you can say will need to be more cautious.
The steps that have been taken to mitigate or solve the incident
Giving clear examples to stakeholders of what has happened gives them greater trust in you. However, revealing too much information will tip off the attacker.
If other organisations are involved in the response
Explaining that other experts are involved, especially government, gives higher levels of trust to your communications. Organisations, like CERT NZ, will not say publicly if they are involved.