Incident Response Plan – Part 6

PenetrationVulnerabilityTestingPhoto Man tablet digital lock
This entry was posted in Security and tagged , on by .

How to Report a Security Incident to Internal Stakeholders

As it has been discussed throughout this blog series, the need to respond quickly and to communicate on a real-time basis after an organization has been hit by a Cyber-attack is very critical. Just as important is the need to communicate after the Cyber-attack has been specifically identified and it’s the effects of its impact has been resolved.

After all, people will want to know what exactly has happened, the damages and/or losses it has created, and what can and will be done in the future to prevent it and similar attacks from occurring.

In these instances, it is imperative to communicate all of this to parties that are both internal to the business or corporation (such as the employees, executives, board of directors, investors – these are considered to the “internal stakeholders”) as well as external (such as the partners, clients, suppliers, distributors, etc. – these are considered to the “external stakeholders”).

Thus, withholding any kind of information about the Cyber-attack could lead to a serious level of mistrust and misunderstandings.  Therefore, the representatives of the Incident Response Team must be open and forthright as to what exactly transpired.

How this information will be ultimately disseminated to the internal stakeholders is entirely up to the organization – there is no hard and fast rule for this.  For instance, it could take place as a memo, an E-Mail, or it could even be posted on the company intranet.

But in the end, perhaps having an open forum where the internal stakeholders are physically present could be the best venue to take.  Taking this approach will allow for a real time Questions/Answers to take place, and the internal stakeholders will feel that their input and suggestions will be valued and taken seriously.

In order to decide what will be formally communicated to the internal stakeholders, a defined process must be followed, which is as follows:

1)     Triage the Situation:

The three fundamental questions about the Cyber-attack must first be answered.  These are also known as the four “W’s”:

  •             Whom specifically launched the Cyber-attack?
  •             Why did the Cyber-attack (in other words, what was the underlying motive)?
  •             What parts of the organization did the Cyber-attack effect?
  •             Where was the Cyber-attack launched from?

2)  Decide the specific medium in which the internal stakeholders will be notified:

As mentioned, this could take place either in a print, electronic, or direct person approach.  But whatever the decided medium is, it is important that all messages (such as E-Mails and Texts) be        kept within the Incident Response Team until the above questions have been fully answered.

2)     Manage the Timing of the Communication:

In this step, the internal stakeholders need to be told the venue of how they will be informed of the Cyber-attack, and when such communications will occur.

4)     Rehearse the message:

At this stage, it will be important to conduct a dress rehearsal of the actual message that will be communicated amongst the internal stakeholders.  For example, if it is in a print or electronic form, it will be important that all members of the Incident Response Team review it carefully before it is distributed.  Or, if it will be open forum based, then the presentation that will be given needs to be practiced, as well as the Question/Answer session, where it will be important to brainstorm any potential items that could be questioned by the internal stakeholders.


Our next blog will examine how to communicate an Incident Response to the external stakeholders of your organization.