Communication during an Incident Response

In addition to the technical response, communication is also an important aspect requiring active management.

Data breach notifications

An investigation into the data breach suffered by the Australian National University in late 2018 found it was a well-planned and sophisticated attack that was likely to have been carried out by a team of 5 to 15 people working 24/7. The attackers used custom-built malware and zero-day exploits to infiltrate the university systems and steal an unknown quantity of data.

Learnings from the incident report include increasing phishing attack awareness, accelerating the use of two-factor authentication and the need for ongoing practice and cyber-attack simulation exercises. The full incident report has also been made public to allow other institutions and businesses to learn from it and protect themselves.

Approaches to communication following discovery of an incident differs depending on circumstances such as the severity, potential impact and the timing of the incident. For example, an organisation may choose not to notify immediately following a breach until they are certain of the impacts and its containment.

It is important to strike the correct balance between being open with affected parties and protecting systems from further attack. Revealing too much information may result in undue escalation or exposure of vulnerabilities yet to be fixed, however withholding vital information may hamper recovery efforts and create a negative impression of your business. Planning for effective communication is therefore an integral part of your overall Cyber Incident Response Plan.

If you are uncertain of your data breach notification responsibilities, refer to the Privacy Commissioners guidelines. Consider engaging a specialised communications professional to assist if the incident may result in media attention.

Determine the communication channels and technology you will use ahead of time and test this regularly. The quality, frequency and content of your communications to stakeholders will have a significant impact on their perception of your organisation and ability to manage an incident.

Enhancing Incident Response Communication

The NIST Cybersecurity Framework offers support for ensuring communication processes are robust within your Incident Response Plan.  The framework lists five areas for attention within the “Respond” function including:

  1. Ensuring personnel know their roles and order of operations when a response is needed

Create an Incident Response Plan that describes your incident response capability. Regular testing of your response capabilities will also strengthen your skills and identify any potential weaknesses in your planning.

  • Ensuring incidents are reported consistently with established criteria

Formalise the incident response team activation process by defining what constitutes an incident for your organisation and ensure that communication and escalation processes are clear and documented.

  • Ensuring information is shared consistently with response plans

Updates regarding security assessments, monitoring and incident response plans should be shared with all stakeholders.

  • Ensuring co-ordination with stakeholders occurs consistently with response plans

An individual should be responsible for providing a consistent and coordinated view of the incident to stakeholders. Criteria for escalation to outside agencies should be clarified in the plan where possible.

  • Ensure that information is shared voluntarily with external stakeholders to achieve broader cybersecurity awareness

By sharing learnings, the entire security industry can benefit through security education, allowing your team to stay current with recommended security practices, technology, threats and vulnerabilities.