Consider the information people want and need in a natural disaster. Responding to a cyber security incident is similar, but with an additional challenge – everyday New Zealanders have limited knowledge about how cyber security issues happen. When we're communicating about these incidents we need to educate people about what the issue is, as well as helping them understand what it means for them and what actions they can take to keep themselves safe.
The CERT NZ Incident Communications Framework
CERT NZ has developed the CERT NZ Incident Communications Framework, it’s designed to be used by any organisation during a cyber incident. The framework establishes what steps should be taken and at what time to properly communicate to customers, clients, and other stakeholders, without creating panic or stress. It can be added to any existing incident response plan as the communications section.
CERT NZ Incident Communications Framework
Communication is key
When you're in the midst of an incident, it's a natural reaction to try to close off from the world. From the incidents we see, we know that this can often put you in a worse position. Communication, whether it's with your staff, your customers, or the public at large is a big part of a well-managed incident. Knowing what to say and when to say it can make a big difference to the perception of how well your incident is managed.
Make a plan
Knowing what you'll communicate ahead of time makes managing an incident easier. Because there can be lots of variables in a cyber security incident, often it's easier to have a loose plan, rather than trying to figure out the solution for every eventuality. The main things to think about are:
Having a clear understanding of the type of incident, and its size and scale will help you explain it to others. Try to get as much information as possible and ask lots of questions to make sure you understand. If you're having the issue explained to you and you don't understand, stop and ask questions at the time, rather than trying to figure it out later. There may be areas of the incident that aren't known yet, not all aspects of the incident will be known when you first start communicating.
Who do we need to tell?
There will be lots of different people who will have a stake in the incident you're experiencing. This often includes staff and customers, but could also include your board, investors, the general public and the media. Make a list of everyone who might need or want information from you about the incident and what they might want to know. Different groups will need different information – the information you give your staff is likely to be different to the information you give your customers because they need to do different things. Consider what effect any public communication you do will have on your stakeholders and on the people behind the attack.
What will you tell them?
Create some key messages – these are the main points of the incident and the things you're doing to respond to it. In many security incidents, you may not know exactly what's happened at the beginning, but even if you only have a small amount of information, it's important to let people know that an incident is occurring. Your key messages should include what's happened, when it happened, and what your next steps are, but it's ok if you don't know all of this information right away. If there are gaps in the information about the incident, instead let people that you're investigating and that you'll update them when you have more information available.
Consider what effect any public communication you do will have on your stakeholders and on the people behind the attack.
From your key messages you can adapt the information to each audience.
For example your employees will need to know:
- how this will impact their work
- if they need to change the way they're working - don't keep putting data in a system that's got a breach!
- what they can tell the customers if they get questions.
Your customers will need to know:
- how this will impact them
- what you will do about it, and
- how they can know if they are affected.
How will you tell them?
Think about the channels you use to talk to people about your incident. The channels you use to communicate about the incident should be accessible and logical. You may need to consider alternative channels, as the normal ways you share information with people may have been affected by the incident you're experiencing. For example, if your network or email is compromised – you won't be able to email information to your employees.
In the middle of an incident is not a good time to start a new channel, such as Facebook group, it could be considered a scam or part of the attack. If you think you'll need alternative channels to contact people, set them up now ahead of time.
You can use your key messages here to adapt your communication to work in different channels. For example have a short message on social media, linking to the full information on your website.
When will you tell them?
We recommend you communicate from the inside out – that is, tell your staff and board about it first, then your customers, before the general public or media. This is for practical reasons, if you tell the public before your staff, your staff won't know how to answer any questions they get from your customers.
They may also have questions you hadn't considered, which will give you a chance to update your messages before you send them out to the public.
Generally communicating earlier is better, if you've known about an issue for a long time before you tell people, they may wonder what else you aren't saying. Consider the time of day, and day of the week you let people know. If it's not urgent and you let everyone know late on a Friday afternoon, people are likely to be unhappy. Think about how often you'll update people too, incidents are evolving so you'll need to think about how frequently you need to share updates.
Consider what effect any public communication you do will have on your stakeholders and on the people behind the attack
Find sources of truth
Sometimes it can be helpful to point to an authority on a subject when you're describing a complex issue - they've often done the hard work for you. It can be helpful to point to someone who can be verified and trusted, particularly if you're not familiar with the technical terminology that's being used.
Managing media interest
Media can be very helpful at getting the message out to your customers if you're experiencing a big issue, but if working with media isn't something you normally do as a business, it can be a bit daunting to figure out what you should and shouldn't say, and the best way to work with them. If you are approached, and you're not sure what to do, it's a good idea to ask for help from an expert. The Public Relations Institute of New Zealand has a list of public relations professionals that you could engage for help.
Sometimes, CERT NZ will be asked by media if we’re involved in your incident. Because of the sensitivity of the reports we receive, we never confirm or deny whether we’re involved with an incident affecting a particular business, organisation or individual. We will sometimes share general cyber security information with media, for example explaining what ransomware is and how it works, but we don't talk about affected parties.
Practice makes perfect
Communicating well is a learned skill so even if this feels unfamiliar, you can learn to be a better or a great communicator. Ask for help from your communications team or feedback from others in your organisation. Even better, develop an incident response plan for your organisation with a communication section built in. Practicing it regularly will make it seem less daunting if, or when, a real incident occurs.
Make an incident response plan
Manage what you can, outsource what you can't
There will be parts of the incident that you need to manage yourself, but incident response is a team sport, so make sure you're asking for help. Report to CERT NZ as soon as you can so we can give you help and guidance.