Communication in Cyber Crises

The Importance of Crisis Communication

During a security incident, inadequate communication can amplify the damage to the organization's reputation as much as the attack itself. A well-executed communication strategy demonstrates transparency, control and commitment to stakeholders.

Principles of Crisis Communication

  • Speed: First communication within the first hours after discovery
  • Transparency: Be honest about what happened and its impacts
  • Consistency: A single coordinated message across all channels
  • Empathy: Acknowledge the impact on those affected
  • Proactivity: Anticipate questions and concerns
  • Continuity: Regular updates even without significant news

Stakeholders and Audiences

Internal

  • C-Level and Board: Executive briefings, financial/legal impact
  • Employees: Practical instructions, reassurance
  • IT and Security: Technical details, response coordination
  • Legal and Compliance: Legal and regulatory implications

External

  • Customers: Direct impacts, protective measures
  • Partners/Suppliers: Supply chain exposure, collaboration
  • Media: Press releases, controlled interviews
  • Regulators: ANPD, CVM, BACEN - formal notifications
  • General Public: Social media, corporate website

Communication Team Structure

  • Crisis Communication Lead: Central communication coordinator
  • Official Spokesperson: CEO, CTO or designated executive
  • Press Office: Media management and press releases
  • Social Media Manager: Monitoring and responses on social networks
  • Customer Support Lead: Scripts for customer service
  • Legal Advisor: Review of communications for compliance

Communication Timeline

First 2 hours:

  • Internal communication to C-Level and CSIRT
  • Activation of the crisis communication plan
  • Preparation of holding statement

First 6-12 hours:

  • Communication to employees (internal email)
  • Notification to directly affected customers
  • First public communication (website/social media)
  • Preparation of FAQ for support teams

First 24-48 hours:

  • Official press release with confirmed details
  • Notification to regulators (ANPD: within 2 business days)
  • Broad communication to the entire customer base
  • Briefing of shareholders/investors if applicable

Following weeks:

  • Regular updates on investigation progress
  • Announcement of corrective measures implemented
  • Final report and lessons learned (after resolution)

Communication Templates

Holding Statement (initial):

"We are aware of a security incident that affected [systems/data]. Our teams are actively investigating and taking measures to contain the impact. We will keep our stakeholders informed as new information becomes available."

Customer Notification:

"We have identified that [incident description] occurred on [date]. [Types of data] may have been exposed. We have found no evidence of [misuse]. We recommend that you [specific actions: change password, monitor statements]. We offer [protection/monitoring services]. For more information: [contact channel]."

Media and Press Management

  • Single Spokesperson: Avoid contradictions with multiple voices
  • Media Training: Spokespersons prepared for difficult questions
  • Bridging: Technique to redirect inconvenient questions
  • "No comment" is bad: Always offer some information, even if limited
  • Quick Correction: If there are inaccuracies in the media, correct them immediately
  • Monitoring: Tracking of mentions in traditional and social media

Communication on Social Media

Strategy for social media:

  • 24/7 monitoring during the crisis
  • Quick responses (target: < 1 hour)
  • Empathy and humanization (avoid automated responses)
  • Forwarding to appropriate channels (support, privacy)
  • Do not delete negative comments (transparency)
  • Correction of misinformation with facts

What to Avoid

Common communication mistakes in crises:

  • Minimizing the severity ("minor incident")
  • Blaming third parties without evidence
  • Promising what cannot be delivered ("it will never happen again")
  • Using excessive technical jargon with a lay audience
  • Prolonged silence without updates
  • Defensive or combative communication
  • Contradictory information across channels
  • Ignoring legal notification obligations

Best Practices

  • [OK] Have legally pre-approved templates
  • [OK] Train spokespersons before the crisis
  • [OK] Keep an updated contact list (24/7)
  • [OK] Coordinate with legal before external communications
  • [OK] Document all communications
  • [OK] Conduct tabletop exercises including communication
  • [OK] Monitor sentiment and adjust the message
  • [OK] Post-mortem including communication analysis