When it comes to responding to incidents, there is no uniform approach. Every company, every incident, every regulatory framework looks different and has different characteristics and requirements. With all these variables in play, it goes without saying that no two answers will ever look the same.
So why do companies want to use the same reporting processes and templates to communicate after a data breach incident?
Starting and stopping too many incident response communication plans when "drafting notification letters using the prepared templates." On the one hand, it makes perfect sense. At that time, with so much to do, it is tempting to check the box and save time and money. The problem is that this approach not only makes the legal reporting requirements too simple, but completely ignores the fact that you have a legitimate business interest in communicating with other groups – the gray area stakeholders. Pleasant because the decision to inform them is not as black and white as legally required reports.
By using notification templates more effectively and broadening communication plans to take into account gray area interests, organizations can improve their overall incident response communication and take a major step in maintaining stakeholder confidence and limiting the long-term effects of a cyber event.
Decide who to notify
One of the most fundamental elements of a response to an incident is the question of who must be notified. The answer is based on a multitude of factors, but essentially falls into two categories: groups that you must legally report and everyone else. The latter becomes & # 39; gray area stakeholders & # 39; because, although there is no legal requirement to inform them, you must take common sense and smart business calculations into account. This list may include such varied groups as business partners, sales teams, media, the board of directors, affiliated organizations, unaffected customers, etc.
Navigating through this decision-making process is only the first step in successfully communicating after an incident. How well you implement your decisions can also have major consequences for the outcome of an event.
Legally required notifications
For legally required notifications it can be a challenge to find out who should be reached and within what time frame. The requirement to inform victims of a data breach differs enormously from geography, industry and data categorization. Are you active in financial services, healthcare or retail? Maybe you are a defense contractor? Are your customers in California or Europe? Or do you have social security numbers or credit card details? The patchwork of rules that determine who, when and how you send notifications covers such a large number of scenarios that it can be difficult to keep them all straight, let alone fully comply with the rules. comply.
This is where you have formatted templates – and a really good legal adviser! – can bear fruit. In particular when large numbers of notifications have to be sent, something that resembles a standard letter can save considerable time and money. I like to call them the Mad Libs of the cyber security world. When an incident occurs, simply select the correct letter template, embed the corresponding nouns and verbs, press send before the time expires and boom! You are compliant.
Templates can be a great time saver, and that is reason enough to justify the time they have spent preparing them. Unfortunately, if it were that simple, we would not see that many headlines beating terrible communication efforts of companies that have been violated.
Although the specific information that you must disclose and the timeframe within which you do so is determined by applicable legal standards, the way you communicate is often open to interpretation. Too often notification letters correspond to legal texts instead of customer-oriented communication. This allows recipients to feel confused and distant from your organization, clearly not ideal for long-term relationship management. Time must be spent sending and delivering even the most basic notification letters. As the saying goes, "it's not what you say, it's how you say it matters."
Bottomline, templates are not watertight and must be written correctly in order to offer maximum benefit to your organization.
However, a good communication plan for incident response does not stop there. It should also assess whether, and how, to inform one of your gray area actors.
Notifications for gray zones
Good cyber security programs & # 39; s increasingly emphasize the resilience of the organization, a result that depends on the resilience of your reputation and trust among key stakeholders. Although it may not seem intuitive to voluntarily talk about a cyber incident, protecting your organization's reputation requires you to do this.
When data is lost, decisions will have to be made about which of the gray areas stakeholders should be informed about. A well thought-out communication plan for incident response, a plan with good stakeholder analysis, will provide the objective information needed to inform this decision.
A stakeholder analysis can take many forms, but in this context it acts as a reference guide for the interests, priorities and resources to communicate with each of your stakeholder groups. As part of the incident response planning process, a stakeholder analysis is prepared by identifying each group interested in your organization and then determining what types of information they prioritize and what impact different breakthrough scenarios can have on their relationship with your organization. This information is collected in a reference guide that allows you to navigate through whether you need to inform a specific group based on clear, objective information, a welcome change in the immediate lack of a response to a data breach.
This is where reports from gray areas really deserve their name, but because there is no right or wrong answer. The decision as to who to inform is based on the business objectives and priorities of your organization and each individual stakeholder group, as well as the specific characteristics of the incident. The stakeholder analysis feeds quality data into that decision-making process, but someone still needs to call – and review it regularly when new information becomes available about the scale and scope of the event.
Despite the obvious benefit of enabling objective decision making in the midst of an otherwise subjective response process, too many organizations are still failing to invest the time and resources in developing a full stakeholder analysis as part of their incident communication plan.
As with everything in cyber security, communication with incident response is an exercise in risk reduction. Finding out who you are legally obliged to report is a challenge, but once you identify those groups, reporting templates can prove very valuable – if used correctly. However, that cannot be where your communication strategy ends. The stakes are just too high.
Recognizing the existence of stakeholders in gray areas and incorporating a comprehensive stakeholder analysis into your planning process can not only save a whole range of unintended consequences, but it can also actually help to improve long-term relationships with your stakeholders. strengthen your organizational resilience in the face of future cyber events.
This article has been published as part of the IDG Contributor Network. Do you want to join?