A significant part of incident response involves communication. NIST’s guidance in this regard focuses on the demands of internal and external stakeholder coordination and appropriate information sharing. Getting this part right requires knowing who should be saying what, when, and to whom.
Say What? Effective incident communication must take into account the unique business needs of different corporate recipients, ranging from IT to HR to Legal. As the late Chicago journalist Sydney Harris once remarked: “The two words ‘information’ and ‘communication’ are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.” For incident response, this means (1) establishing criteria for events with business significance; (2) enabling automated response when possible; and (3) limiting internal reporting to individuals who understand its importance, have clear roles and responsibilities, and know how to properly time and coordinate their actions.
You Don’t Say! Although companies may press forensic investigators to update them every step of the way, it is important to discern initial assessments and theories from ground truth. Be mindful that, as is true in other dynamic situations, initial reporting often is incomplete and may be misleading. Peter Drucker noted, “The most important thing in communication is hearing what isn’t said.” Early forensic findings are unlikely to conclude: “We figured it all out.” There’s good reason for that. They haven’t.
To Say the Least. There were no computers when Plato observed, “Wise men speak because they have something to say; Fools because they have to say something.” With this in mind, companies typically limit initial external stakeholder communications to (1) acknowledging the fact of an investigation; (2) noting any assistance of outside experts and law enforcement; and, (3) highlighting the organization’s commitment to protecting consumers and employees by continuing to keep them informed, by addressing the cause of the problem, and by pursuing or recommending enhanced security measures.
Can’t Say for Sure. Finally, consider the possibility that the company’s communications infrastructure will not be available during an incident. Experts routinely warn against the use of internal email to discuss a breach since the intruders could be watching. In one recent high profile breach, the CEO was frustrated because the hackers had taken down the entire network infrastructure, including access to the telephone directory. Locating phone numbers and making individual calls was nearly impossible and, although a third-party emergency notification system was in place, the company had not required all employees to sign up. Lesson learned.
For those companies that conduct well-scripted tabletop exercises to prepare for an incident, it also is worth keeping in mind that certain decision-makers may not be available when needed, that they will be facing competing demands, and that they are unlikely to be gathered in the same room at the same time.
Suffice it to say, internal and external communications are essential elements of incident response. Prepare now, or risk NIST pointing out “We told you so.”