Communication in Cyber Crises
The Importance of Crisis Communication
During a security incident, inadequate communication can amplify the damage to the organization's reputation as much as the attack itself. A well-executed communication strategy demonstrates transparency, control and commitment to stakeholders.
Principles of Crisis Communication
- Speed: First communication within the first hours after discovery
- Transparency: Be honest about what happened and its impacts
- Consistency: A single coordinated message across all channels
- Empathy: Acknowledge the impact on those affected
- Proactivity: Anticipate questions and concerns
- Continuity: Regular updates even without significant news
Stakeholders and Audiences
Internal
- C-Level and Board: Executive briefings, financial/legal impact
- Employees: Practical instructions, reassurance
- IT and Security: Technical details, response coordination
- Legal and Compliance: Legal and regulatory implications
External
- Customers: Direct impacts, protective measures
- Partners/Suppliers: Supply chain exposure, collaboration
- Media: Press releases, controlled interviews
- Regulators: ANPD, CVM, BACEN - formal notifications
- General Public: Social media, corporate website
Communication Team Structure
- Crisis Communication Lead: Central communication coordinator
- Official Spokesperson: CEO, CTO or designated executive
- Press Office: Media management and press releases
- Social Media Manager: Monitoring and responses on social networks
- Customer Support Lead: Scripts for customer service
- Legal Advisor: Review of communications for compliance
Communication Timeline
First 2 hours:
- Internal communication to C-Level and CSIRT
- Activation of the crisis communication plan
- Preparation of holding statement
First 6-12 hours:
- Communication to employees (internal email)
- Notification to directly affected customers
- First public communication (website/social media)
- Preparation of FAQ for support teams
First 24-48 hours:
- Official press release with confirmed details
- Notification to regulators (ANPD: within 2 business days)
- Broad communication to the entire customer base
- Briefing of shareholders/investors if applicable
Following weeks:
- Regular updates on investigation progress
- Announcement of corrective measures implemented
- Final report and lessons learned (after resolution)
Communication Templates
Holding Statement (initial):
"We are aware of a security incident that affected [systems/data]. Our teams are actively investigating and taking measures to contain the impact. We will keep our stakeholders informed as new information becomes available."
Customer Notification:
"We have identified that [incident description] occurred on [date]. [Types of data] may have been exposed. We have found no evidence of [misuse]. We recommend that you [specific actions: change password, monitor statements]. We offer [protection/monitoring services]. For more information: [contact channel]."
Media and Press Management
- Single Spokesperson: Avoid contradictions with multiple voices
- Media Training: Spokespersons prepared for difficult questions
- Bridging: Technique to redirect inconvenient questions
- "No comment" is bad: Always offer some information, even if limited
- Quick Correction: If there are inaccuracies in the media, correct them immediately
- Monitoring: Tracking of mentions in traditional and social media
Communication on Social Media
Strategy for social media:
- 24/7 monitoring during the crisis
- Quick responses (target: < 1 hour)
- Empathy and humanization (avoid automated responses)
- Forwarding to appropriate channels (support, privacy)
- Do not delete negative comments (transparency)
- Correction of misinformation with facts
What to Avoid
Common communication mistakes in crises:
- Minimizing the severity ("minor incident")
- Blaming third parties without evidence
- Promising what cannot be delivered ("it will never happen again")
- Using excessive technical jargon with a lay audience
- Prolonged silence without updates
- Defensive or combative communication
- Contradictory information across channels
- Ignoring legal notification obligations
Best Practices
- [OK] Have legally pre-approved templates
- [OK] Train spokespersons before the crisis
- [OK] Keep an updated contact list (24/7)
- [OK] Coordinate with legal before external communications
- [OK] Document all communications
- [OK] Conduct tabletop exercises including communication
- [OK] Monitor sentiment and adjust the message
- [OK] Post-mortem including communication analysis
