The Incident Response Communications (Crisis Communications) Plan
Our last blog post of the series reviewed the three key areas in which quick Incident Response is critical, and it is at this point that crafting the actual Incident Communications plan becomes crucial.
It’s important to note that each plan will be very unique to a business or a corporation, therefore, the exact requirements that needs to go into such a plan will vary.
In these instances it could prove to be very beneficial for an organization to actually hire an outside company that specializes in creating such plans.
The biggest advantage of this is that the Incident Response Communications plan will be created from an unbiased and neutral perspective.
… But the general components that should be included in this plan should include the following:
1. Identify who will be specifically involved on the Incidence Response communications team:
In this component of the plan, it is very crucial that the right people from all of the departments of the business or corporation are selected.
Once selected, all of these individuals must then understand the gravity of their responsibilities, as they must be able to respond quickly at a moment without hesitation.
The key individuals that need to be included on this team include the following:
> The CEO, CFO, and the CIO or CISO:
> A representative from the Public Relations department;
> A representative from the Investor Relations department;
> A representative from the Human Resources department;
> A representative from the Sales and Marketing department.
It is also important that at least two individuals from these respective departments should be trained in how to handle any communications or queries from the media.
Also, an alternate to each representative should also be picked in case the primary representative cannot be reached during the time of a crisis.
2. Have mechanisms in place where employees can help communicate any unforeseen threats:
In this regard there should be an open line of communication where feedback from employees is solicited across all departments of the organization, and at all levels.
The goal here is to have the ability to report any new threats and even new ideas for the continuous refinement of the Incident Response communications process to the appropriate representative of the IR Communications team (as just described).
By having this particular line of communication in place, a proactive security mindset will be instilled among all employees of the business or corporation.
3. Create and develop the messaging around the risks that have been identified:
After the representatives have been selected and the open lines of communication set forth, the next step is to create the messaging for each kind of cyber risk that the organization is prone to.
Obviously, the details of what will be communicated to the public and other key stakeholders will vary if an organization is actually hit by a cyber-attack.
However, at this point in the Incident Response Communications plan, it is important to have at least the messaging template prepared so that the designated representatives of the various departments will be able to communicate with confidence and effectiveness.
4. Create the Internal Contact Roster:
This component of the Incident Response Communications plan is deemed to be one of the most important.
After all, once a business or corporation is hit by a cyber-attack, the first thing that will come to mind is contacting the department representatives to determine exactly what is happening and to what degree the damage is.
In this regard, it becomes critical to have all of the contact information (which includes work e-mail, personal e-mail, work cell number, personal cell number, and even home telephone number) for each of the department representatives.
All of this contact information should be documented in an easy and quick to read format, such as that of a call tree.
It’s also important to include all of this contact information for the alternate department representative as well.
The bottom line here is that all of the contact information must be up to date and confirmed at least once a month for any changes.
5. Identify and establish relationships with the key stakeholders of the organization:
Apart from communicating with employees and the department representatives, it is also equally important to reach out to the stakeholders that have a vested interest in the well being of the organization in the time of a crisis. Such individuals include the following:
> Investors and shareholders;
> Customers and business partners;
> Suppliers and distributors;
> Any relevant government official at the local level.
This particular component of the Incident Response Communications plan is an often overlooked one; therefore, it is important to include all of their contact information in the call tree as well.
The call tree should be made available to all department representatives (including their alternates) and key stakeholders in printed, electronic, and online formats.
Finally, it’s important for a business or a corporation to not focus on just preparing for just one type or kind of cyber-attack. Rather a holistic view should be taken, which will allow you to prepare for any cyber-attack.
These components of the Incident Response Communications plan can be diagrammed as follows:
Our next blog post of the series will examine as to how a security breach, and the steps to mitigate it should be reported to key parties.