Zero trust frameworks and the role of internal comms
According to IBM, the average data breach cost $4.45 million in 2023, a 15% increase over three years. As cyberattacks become more sophisticated, organizations are adopting zero-trust security frameworks, also called zero-trust architecture (ZTA), and federal privacy regulations are growing. According to Top Trends in Privacy Driving Your Business Through 2024 a Gartner® report, “By year-end 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations.” (1)
As organizations invest in tighter security measures — like ZTA, an approach that assumes no connection is trustworthy until verified — one element companies often overlook is how to communicate with employees during a data breach. In this article, we review the role of internal and employee communications teams if a cyberattack or breach occurs. What do employees need to know? And how can you keep them informed?
Pre-cyberattack steps: Form a crisis response team and prepare communications plans and templates
As corporations continue to push forward with their digital transformations, Gartner reports that, “By 2025, 80% of organizations seeking to scale digital business will fail because they do not take a modern approach to data and analytics governance.” (1) Governance involves controls and risk management, preparation, and response planning. It’s essential to include corporate and employee communications in those plans.
Establishing the crisis response team and response planning is imperative in preparation for any cyberattack or data breach. According to C-Risk, a cyber risk management company, your crisis response team should include general management, communications, legal affairs, quality management, site directors (if applicable), and heads of relevant departments, particularly the data security and IT systems departments. Your well-rounded response team is a cross-departmental group of experts who contribute to decision-making during planning and any critical event.
You want a generalized crisis communications plan and may want to craft more detailed plans for anticipated crises, including cyberattacks and data breaches. While your public relations and marketing teams may be responsible for the external stakeholder communications, internal comms, and HR should create employee comms plans, and someone must communicate with the crisis team.
More extensive plans can include message drafts for the most common cyberattack and data breach scenarios, including denial of service and ransomware attacks, email leaks, and customer or employee data breaches. Planning should include comprehensive and up-to-date lists of employees and stakeholders and contact info for your primary and backup channels. These include a corporate email address, an alternative address, a cell phone or home phone number, and a physical mailing address. Plans should consider that your primary digital communications channels may not be available or functioning during a cyberattack.
5 guidelines for effective crisis communications
-
What do you know? Establish the facts.
When a crisis emerges, the first step is to gather as much of the response team as possible, evaluate the situation, and implement the response plans. The current facts of the problem must be assessed, including the nature and scope of the attack or breach, who and what are currently affected, anticipated situational changes, and the timing of situational updates.
-
Communicate with your employees first.
Employees should never learn about an attack or breach from the media, external sources, or office gossip. Instead, a message from leadership to employees about the incident should be provided early, with advice on what they should do or not do. Proactively communicating with employees will prevent confusion and mistrust. As your tech and engineering teams work to secure the situation, the comms team must provide employees with the what, why, and when as soon as the information is available. According to the Federal Trade Commission (FTC), in deciding who to notify and how, an organization should consider state laws, the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage if the data is misused.
-
Be as transparent as possible.
Share what happened and provide clear instructions on how employees can mitigate the effects and what they can or can not say about the crisis. For some situations, the FTC recommends consulting with law enforcement about the timing of the notification so it doesn’t impede any investigations. When the full scope or nature of the breach is unknown, explain what you know, what is unknown, the current status, the actions you are taking, and the next steps.
Addressing common concerns can minimize fears and rumors. For example, you may say, “While we are actively investigating, our immediate priority is to ensure the security of our systems and protect your personal information.” Communications should be honest, empathetic, and comforting when possible, but not at the expense of misleading or sugarcoating the situation.
-
Provide frequent updates.
Cyberattacks and data breaches will likely be stressful to employees, especially if their health or financial information may be at risk. Keeping communication lines open is essential in alleviating uncertainty. Even if no significant developments occur, regular updates can reassure employees that the company is actively working to resolve the issue. Silence can lead to unnecessary speculation and fears.
-
Empower managers to assist.
Employees often trust their direct managers the most. Many crisis communication plans include direct communications with mid- and lower-level managers. Empower your managers to cascade information to their teams by providing talking points, guidance, and a channel for sharing questions with senior leadership. This decentralized approach ensures that information flows smoothly throughout the organization.
Communications is Critical
While a strong security posture and small attack surface are essential, communications plays a critical role in preventing and responding to cyberattacks or data breaches. By establishing a proactive crisis communications plan that involves key stakeholders, promptly communicating with employees, maintaining transparency to the extent possible, sharing frequent updates, and empowering managers, your organization can mitigate the risks and impacts of such events and foster more trust with managers and employees.