Stay Ahead of Ransomware: Communication During a Cyber Incident

On this month's SANS Stay Ahead of Ransomware livestream, we explored the critical role of communications during cyber incidents with special guest Kelly Miller, Managing Director at FTI Consulting. With extensive experience leading communications responses for high-profile data breaches, Kelly provided valuable insights on how to communicate effectively before, during, and after a ransomware incident.

The Communication Imperative in Cyber Incidents

Kelly emphasized that while organizations are no longer harshly judged simply for experiencing a breach, they are scrutinized for how they handle the response. Around 2020, when ransomware attacks became more prevalent, the focus of media criticism shifted from technical security failures to communication deficiencies—specifically, how clearly organizations communicated and how quickly they responded.

We discussed how every organization has its own personality when responding to incidents, with some being more transparent while others take a more conservative approach. Kelly stressed that communication plans must be tailored to each organization's unique culture and audience needs.

Preparedness: The Foundation for Effective Crisis Communication

A key theme throughout our discussion was the importance of preparation:

• Establish relationships before incidents occur: Build connections between IT/security teams and communications, legal, and executive teams.
• Create communication protocols: Develop approval processes, call trees, and clarify who needs to be involved in communications decisions.
• Conduct inclusive tabletops: Include representatives from various departments, including communications and PR teams.
• Build media relationships: Establish rapport with reporters who cover cybersecurity before an incident occurs.

Initial Response: Internal Communication Priorities

When an incident is first detected, Kelly recommended:

• Be honest early: Build trust by being transparent about what is known and what isn't yet known.
• Focus on operations: Clearly communicate what systems are and aren't working to reduce uncertainty.
• Address immediate concerns: Anticipate and answer key questions, like "Will payroll be affected?"
• Lead with empathy: Remember that emotions run high during incidents, and people may fear for their jobs.
• Provide clear guidance: Give employees specific instructions on what they should and shouldn't communicate externally.

External Communication Considerations

For communicating with external stakeholders, we discussed:

• Law enforcement engagement: Cooperate with law enforcement while being cautious about what information is shared. Building relationships with your local FBI field office before an incident can be invaluable.
• Media management: Understand media cycles and how ransomware fatigue has changed reporting patterns.
• Consistent messaging: Ensure all communications tell a consistent story across channels and audiences.
• Audience-specific approaches: Different stakeholders need different types of information—tailor messaging accordingly.

Who Handles Communications When There's No PR Team?

Many organizations lack dedicated PR resources. Kelly suggested general counsel often serves as a good point of contact for communications, as legal strategy should guide all external messaging. Additionally, HR or marketing teams can play important roles, but collaboration across departments is essential.

Common Communication Pitfalls

We explored several ways communication can go wrong:

• Social media leaks: Employees sharing information on personal accounts can create confusion and be picked up by news outlets.
• Information vacuums: Without official information, people will fill in the blanks with assumptions.
• Inconsistent messaging: Different stakeholders receiving different information creates chaos and legal risks.

To mitigate these issues, Kelly recommended providing employees with clear guidance on what they can say, reminding them of social media policies, and explaining why consistent messaging matters.

Looking Forward

The conversation highlighted that experiencing an incident, while challenging, provides valuable learning opportunities that strengthen an organization. Many organizations take preparedness much more seriously after experiencing even a minor incident.

Additional Resources

• Join us on the first Tuesday of next month at 1:00 PM Eastern for our next Stay Ahead of Ransomware livestream.

• Executive Cybersecurity Exercises: A practical training exercise through a simulated cyberattack to enhance and test your team's tactical and strategic cyber resilience.

• LDR533: Cyber Incident Management: This course equips you to not just be a member of the incident management team but a leader or incident commander.