Perhaps one of the biggest challenges unprepared organizations can face in cyber crisis communication is internal communication when an incident occurs. A robust cyber crisis communication plan will identify a dedicated interface between your comms team and the IT department or incident responders working to remediate a cyber event. A necessity for success is ensuring that you have a high-level technical fact sheet that IT teams can fill out during an event and provide information to communicators.

Once complete, that fact sheet needs to be passed to someone on the communication team who has the skills to translate it quickly and accurately into terms that everyone can understand. This translated document then becomes your communication seed document and your single source of truth during an incident, helping to eliminate speculation and keep all your teams on message. A technical fact sheet, predefined and clear lines of communication between IT and comms, and an accurately translated seed document are elements that are seldom included in a traditional disaster communication plan.

An equally important step is determining who your stakeholders are and how you will communicate with them. These will be different for a cyber event than for a natural disaster and identifying them up front will reduce confusion and help ensure you save time, money and preserve your reputation during a cyber crisis.

Each group requires a similar but distinct message. You should know what information each group requires and on what cadence. For example, customers may want to know if their data was compromised and what measures the organization is taking to address the issue, while employees may need to be informed about the impact on the company’s operations and any contingency plans. The media may require regular updates on the remediation status.

A solid cyber crisis communication plan will also include a stakeholder map — both internal and external — to help you align messaging accordingly. Some questions your map should answer are:

Who is my dedicated contact in IT? What information do I need from them to accurately communicate about a cyber event?

Who are my key internal and external stakeholders? (Pro tip: Make sure you include your Board of Directors)

What do I need to tell them and when?

What channels will I use — and do I have backup channels if primary channels are inoperable?

Who needs to approve communications — and when?

It’s helpful to use your stakeholder map to create templates and holding statements for each audience so your organization is better prepared when a crisis happens.

Your organization’s communication needs to be swift, meaningful, and come from a reputable source. Some organizations choose to have their CEO or CFO be the main point person for public comments (guided by PR or Communications), in addition to identifying a key spokesperson for internal communications. A robust cyber crisis communication plan should include who will provide updates, where the updates will be given, and identify backup individuals for both roles.