The Lost Art of Communicating Before, During and After an Incident

By Loren Dealy Mahler

Conversations around incident response tend to start and stop with tips for pursuing the perfect blend of skills, technology and resource allocation to detect and mitigate any event. Rarely is enough attention paid to the external factors that traditionally contribute significantly to the long-term costs of an event. Communication is chief among these outliers, because it is linked to the public perception of your incident management and either drives stakeholder trust and customer retention – or not. Each of these variables has an impact on the ultimate cost of an event, and by taking a few simple steps to communicate more effectively before, during, and after an incident, organizations could save themselves significant time and money. 

Before
Every team should incorporate an incident response communications plan into its existing incident response planning materials. You already know that no two incidents are alike, and that same idea translates into a different set of communications needs for each event. Knowing who to talk to, what information they need, when you should tell them, and how that all fits into a compliance framework isn’t straightforward in the best of times, and it gets even blurrier in the fog of an event. Take the time to sort out the options ahead of time when everyone is thinking clearly. A good stakeholder map, incident scale, and a holding statement will do wonders for your outcomes. Whether this effort is spearheaded by your security team or a joint venture with the communications office, just taking the time to think through the various scenarios and communication needs of your organization will go a long way towards making sure everyone makes good decisions when the time comes.

During
When you are faced with an incident that requires a communications response, (not all incidents do), there will be multiple groups that need information in various forms and on various timelines. Each is worthy of a detailed breakdown, but the long-term impact on your organization’s business structure is most often driven by the way you communicate with your customers. Ironically, while a strong customer base drives the health and wellbeing of your business, they are often paid the least attention in the aftermath of an incident. You don’t win loyalty points for sending out a letter from your legal team that no one understands.

Customers choose to do business with your company because they trust you. If you start causing them to question that trust, you run the risk of damaging your reputation and losing customers. It’s that simple. To maintain trust during an incident, people have to believe you have their best interests at heart and are making smart decisions to clean up the problem and prevent it from happening again. You have to communicate proactively, clearly, and confidently about what you know (not what you hypothesize), what you are doing (without getting defensive), and steps you are taking to keep it from happening again (without deflecting blame). You don’t have to check all of these boxes in a single, all informative communique. It can be a series of statements delivered in whatever way is most appropriate for your organization and event. The key is just to do it. Staying silent is never the right choice. Fumbling the response isn’t either.

After
When the wave of an incident has passed, it is tempting to close the door and move on, but when it comes to strengthening your reputation and restoring trust among your stakeholders, this is rarely a smart move. Instead of pretending like nothing ever happened, speak up about specific actions your organization is taking to improve your own security posture or how you’re helping others learn from your experience. Communicate these clearly and consistently to the groups who need to be reassured that you’re still a reliable partner, that their trust is still well placed.

In conclusion, any incident response is going to be primarily focused on the technical mitigation of the threat. That is understandable, but the companies that come out ahead are the ones who understand the importance of good communication throughout the process. When people are uncertain, they get worried. When customers are worried, they take their business elsewhere. By clearly and consistently communicating the right information before, during and after an incident, you can reassure them that you are a good, trustworthy partner, no matter the recent circumstances.