Incident response

Don’t Let Your Crisis Response Create a Crisis

January 15, 2019 by Kristin Zurovitch

Don’t Let Your Crisis Response Create a Crisis

We’ve all seen the recent headlines about massive corporate cybersecurity breaches. Smart business leaders understand the terrible damage that can be inflicted on their organization’s brand and reputation by a botched response to a security incident, which in turn can lead to both financial and operational harm. Your customers, clients, suppliers and employees all need accurate information about what happened, how it occurred and if their personal information is in the hands of cybercriminals. As attractive as the thought might be, hiding under your desk and hoping it will all go away is not a sound strategy!

That’s why we hosted a webinar on the business impact of cyber risk to discuss how organizations are preparing to mitigate cyber risk in 2019.

There is an abundance of good crisis response information on the Internet, and there are hundreds of crisis and communication experts who can guide your organization through the labyrinth of response plans. And while no two cybersecurity events are alike, here are a few communication ideas if you ever become the victim of a breach.

Mom Was Right About the 5 P’s

The old standby “Prior Planning Prevents Poor Performance” was first drilled into my head during last-minute cramming for tests in high school. But this chestnut still resonates today when crafting a crisis response plan.

Regardless of the size of your organization, any business can form a response team and devise a basic plan. Having your team and plan in place before a crisis hits can save you valuable time when the media is knocking on your door.

  • Identify the team that should be at the table when a crisis occurs — legal, HR, the CSO or CISO, IT, government relations, public affairs, digital team, internal communicators and customer service are a good start. The individuals should each have a clear picture of their role during a crisis. One executive-level person should be charged with the team’s operation and serve as the group’s champion.
  • Develop clear, pre-planned decision rights and who makes the final call after receiving counsel from the group. You’ll also need to decide who will speak for the company during a crisis. Many companies wisely use the CEO as the primary resource — especially if it’s a very serious crisis.
  • Identify the key audiences you need to inform — those directly impacted by the breach, other customers, suppliers, your employees, the media and/or regulators. Think about the information your audiences need (and deserve) to hear and balance that against what information you are comfortable disclosing.
  • Plan what communication pathways to use for distributing the information to each of the audiences. Templated internal communications can be framed up along with pre-populated internal email address lists. Media lists can be built ahead of time with your key local and national reporters. Lists of NGOs and regulators can also be prepared.


In the very early stages of a crisis it is easy to get overwhelmed and try to come up with every possible response to every possible question you might receive. And as a business person, its normal to want every tiny detail so you can fix the problem and work to make sure it never happens again.

And while it’s wise to gather all the information possible for your internal investigation, it’s not smart to publically share every detail — especially if it could harm your internal forensic investigation of the breach.

Put yourself in the position of your audiences and think about what information you would want and what is “owed” to you from a responsible organization:

  • Who is affected by the crisis?
  • What happened AND what are you doing about it AND what are the next steps?
  • Where did it occur (can also describe those affected, e.g., company headquarters, customers across the U.S., clients in Wisconsin, etc. )
  • When was it discovered?
  • How did it happen? This question can be difficult to answer early, but you want to assure your audiences that you are investigating.

Reasonable Expectation to Act Responsibly

Helio Fred Garcia was an early mentor of mine and I’m not joking when I say he literally wrote the book on crisis communications. With more than 38 years in the communication and crisis management field, Fred has lectured around the world, counseled some of the biggest names in business and authored the best books you can find on leadership and crisis communications. He is the president of crisis management firm Logos Consulting Group and executive director of the Logos Institute for Crisis Management & Executive Leadership in New York.

My principal crisis response advice is for you to study Fred’s books on the subject. The Agony of Decision: Mental Readiness and Leadership in a Crisis is his most recent and available from the usual sources. I also recommend visiting his firm’s blog.

Communication during a crisis can be scary. There is no one-size-fits-all plan, and oftentimes leaders simply don’t know where to begin during a crisis. While it might be tempting to circle the wagons, transparency is your best policy and for one reason. The truth always comes out.

If you are experiencing a communication block at any stage of a crisis, this mantra — repeatedly imparted to me by Fred — serves as a helpful guiding principle:

“What would reasonable people appropriately expect a responsible organization or leader to do when facing this kind of situation?”

Building Your Response

After your advance strategy is ready and you have calculated what to communicate, Fred’s book Reputation Management: The Key to Successful Public Relations and Corporate Communication provides five smart steps for keeping control of the message and getting your crisis off the front page of the newspaper.

Tell it all

  • Bundle everything you have into as few news cycles as possible
  • Not to be confused with saying too much or speculating
  • Only say what you know at that time

Tell it fast

  • It’s better to be the one talking about a crisis than having others mention it first
  • Helps control rumors
  • Allows you to take the high ground

Tell ‘em what you’re going to do about it

  • You owe it to your audiences to tell them what you’re doing
  • Outline the steps being taken to fix it and make people whole

Tell ‘em when it’s over

  • Nobody wants to reopen an old issue once it’s been resolved, but there are always those who want some level of closure

Get back to work

  • After the thrill and excitement of navigating a crisis, it can be hard to get back to daily operations.
  • Before too much time lapses, hold an internal post-action review to discuss what worked well and what should be ironed out before the next crisis

Time is of the Essence

It bears repeating. Getting accurate information to your audiences quickly is key to controlling your crisis message. However, having the most complete, most accurate explanation at that time should not be sacrificed for speed. It is possible to frame your messages without having the complete picture (most people know that it can often take weeks and months for the complete cause to be determined).

Share the information that you know is correct; when it occurred, how it happened, how you are going to make things right for customers, but add that it is early in the investigation and you will have updates. Promise a transparent process and then follow through on your promise. This can often be the difference between an incident that bubbles up and goes away quickly, and another that escalates into a brand-damaging crisis.

Improve Your Security Awareness Training with SecurityIQ

Human error continues to be the primary factor when determining how a breach occurred. According to the Verizon 2018 Data Breach Investigations Report, 93 percent of all investigated cybersecurity events involved phishing or financial pretexting. And of those, email is still the hacker’s favorite distribution path.

InfoSec Institute’s SecurityIQ  helps prevent human error by teaching employees the skills they need to detect, avoid and report a cybersecurity threat. The program provides phishing simulation and security awareness training in one automated platform, and contains  a library of 1100+ realistic phishing simulations and more than 500 training modules. SecurityIQ can help you build and measure your entire security awareness program — and stay out of the crisis response business.

Request Demo

Posted: January 15, 2019
Kristin Zurovitch
View Profile

Director of Corporate Communications, InfoSec Institute