Incident response: How to implement a communication plan

1. Formalize the incident response team activation process

The first crucial communication that takes place in the wake of a security incident is the activation of the incident response team. Any employee suspecting a security incident should contact the organization's security operations center (SOC) or other designated 24/7 monitoring point. The SOC should follow a standard triage process to determine whether the event warrants the activation of the full incident response team.

In cases where the SOC determines team activation is required, time is of the essence. Organizations should consider adopting an alerting mechanism, such as PagerDuty or Opsgenie. These tools manage on-call schedules, trigger alerts through multiple communication channels and provide responder status information. Offloading these tasks to a dedicated platform reduces the burden on SOC analysts and convenes the incident response team faster.

2. Designate a point person for external communication

As soon as word leaks of a security incident, external stakeholders will begin clamoring for information. The incident response team will be bombarded by requests from customers, the media, regulators and other stakeholders. Crisis communication requires a coordinated response to control rumors and ensure the organization presents a clear and consistent message across communication channels.

An enterprise should create a communication role on its incident response team to provide this consistent and coordinated view of the incident to external stakeholders through regular updates.

This person may not be a deeply technical team member but should have enough familiarity with technical concepts to serve as both a translator and filter for the technical information emerging from the response team. A glossary can help ensure the vocabulary used in written and verbal communications is correct and consistent.

3. Create criteria for law enforcement involvement

Two of the most crucial decisions facing an incident response team are the following:

1. whether it is appropriate to involve law enforcement; and
2. when notification of law enforcement should take place.

These are difficult decisions because law enforcement involvement often changes the nature of an investigation and increases the likelihood of public attention. On the other hand, law enforcement personnel have access to investigative tools, such as search warrants, that are unavailable to internal teams.

Incident response communication plans should address this quandary by outlining clear criteria for when the team should notify law enforcement. The plan should also identify who on the team has the authority to make that determination and what internal notifications should take place prior to involving law enforcement. For example, the team should likely consult with both executive leadership and legal counsel prior to involving the authorities.

4. Develop communication templates for customer outreach

Many security incidents require some level of communication with customers or the general public, and any incident response communication plan should account for this.

Communication templates are critical to an incident response communication plan.

This might be a required notification in the wake of an unauthorized release of personally identifiable information, or it might be an explanation to customers of a service disruption. The frequency, quality and content of these communications have a significant effect on public perception, and these factors work to either limit or magnify the reputational damage associated with a security incident.

That's why communication templates are so critical to an incident response communication plan. In fact, they are perhaps the most important tool that a communication planning team can provide to incident responders. It's extremely difficult to craft a thoughtful, careful notification message, and many people will want to be involved, ranging from account managers and executives to lawyers and PR experts.

Developing preapproved incident response communication templates can clear those hurdles in advance, leaving the incident response team to simply fill in the blanks and tweak template language, as necessary.

5. Monitor social media

Social media is an extremely important channel of communication between many organizations and the general public. Customers are quick to publicly voice their displeasure with an organization by tweeting out or posting a public tongue-lashing. While companies should regularly monitor their social media mentions, this becomes crucially important during a crisis, such as a cyberincident.

Social media feeds can provide the incident response team with a quick read on customer sentiment and serve to trigger rapid intervention if rumors start to spiral out of control. In addition, social media reports may provide the team with important indicators of service performance, information disclosures and other facts that might shape their response priorities.

Rapid and effective communication is an essential component of a strong response to a significant cybersecurity incident, such as a data breach. Solid incident communication plans provide mechanisms for the following:

• rapidly notifying stakeholders;
• coordinating both internal communications and external communications; and
• monitoring customer sentiment.

These tools improve the organization's ability to respond to a crisis and help minimize reputational damage.

Editor's note: This article was written by Mike Chapple in 2019. TechTarget editors revised it in 2023 to improve the reader experience.