📬 Mailbag: Are there any examples of good incident response communications?
Mailbag questions are submitted anonymously by our readers. Submit your own question for our team at discernibleinc.com/blog.
Sadly, there are A LOT of examples of poor incident response communications. Nobody asks me for these. 😎
The tougher question, the one that takes experience and expertise to answer, is what does good incident response communications look like? Well, we have several client examples that I’m proud of — and even more NDAs protecting them. So, here are a few examples that I didn’t work on that I think have merit and are worth considering.
I’ve listed several categories of communications here because, after all, good incident response communications is about more than a press statement or customer notification. Yes, the best responses I’ve seen include credible press statements and transparent notifications, but also so much more!
Incident Disclosure
There are several things I really like about this blog post from Twilio about a 2022 phishing attack that stole employee credentials in order to gain access to customer data:
Twilio published continuous status updates all the way through the conclusion of their investigation. It’s all in one place, easy to find, and easy to read.
They apologized for the incident. Apologies go a long way in demonstrating that you actually give a sh*t about the people behind the data – I love that Twilio’s lawyers are also human.
There are multiple updates involving communications with other parties including customers, partners, and service providers. I can tell from reading their updates that Twilio’s security team didn’t just lock their own door; they cared enough to try to eliminate future risk for other businesses and their customers. Industry collaboration is a strong signal of a mature security operation and long-term commitments.
Status Report
Years ago, Cloudflare effectively established a reputation for operational transparency with its ongoing timeline of status reports. From network performance issues to security incidents, Cloudflare doesn’t shy away from telling the world what’s going on. It’s clear that disclosing incidents is second nature for this team and they’re comfortable disclosing technical details, especially when they can help other organizations. Additionally, security incidents are disclosed in the same timeline as other service issues. There’s no one-time URL that’s going to disappear in a few months or try to hide from online search results.
One of the most common questions that comes up when preparing clients for incident response with a dedicated communication playbook is where the company’s official disclosure and updates should live online. Companies already in the habit of publishing and maintaining a status report page have a real advantage over those that don’t have an equivalent process in place. Consistency across stakeholder communications is critical in security incidents and a good status report page gives all stakeholders a shared, single source of truth with the ability to dig deeper to whatever level of technical detail they need.
Media Strategy
The #1 hype item in every vendor-led tabletop exercise is media engagement. Stop conditioning your teams to fear talking to the media about incidents – trust requires transparency. Sure, talking to the media effectively requires certain skill and know-how; but if it scares you, then you’re not prepared. Fear of journalists is not the desired state for transparency or public trust.
In 2018, TimeHop disclosed a network intrusion that caused a breach of customer data. TimeHop was believed to be the first U.S company to suffer a security breach after GDPR went into effect with its 72 hour notification requirement. In addition to their public disclosure statement, the company gave NBC NEWS an exclusive play-by-play of what happened in the hours and days after the intrusion – and this is the piece of their response I want to commend. This level of press engagement is not necessary or appropriate for every organization; but if you’re afraid of what they might find out, you better fix those issues now. These skeletons are stressful, expensive, and impossible to keep buried forever.
Here are a few key things I liked about TimeHop’s engagement with NBC News:
Senior executives, including the CEO and COO spoke about the incident on the record to take responsibility.
Zero attempts at throwing a CISO/CSO or the security team under the bus.
Their initial response wasn’t perfect and they were honest about it.
Industry collaboration and communication!
No One Size Fits All
There is no universal “crisis comms” plan that can adequately prepare an organization with the type of culture, process, and confidence needed for effective security incident communications. The best security communications come from teams who aren’t just thinking about what to say in the event of an incident, but what they’re already saying (or not) to prepare stakeholders in advance. Imagine if quarterly earnings calls were the only way publicly traded companies could communicate with investors. 😱
In my experience over the past 15 years, the frequency and comfort with which organizations proactively talk about their security incidents (big or small) has a significant impact on the credibility of their statements when they need it most. What are you waiting for?
If you would like to learn more about Discernible’s incident communications preparedness and response services, please contact us here.