CEO's Communication Guide to a Security Breach

Cybersecurity breaches are a real threat. In fact, any business at some point will get breached, regardless of how good your cyber defense is, how big your company is or who you use for an IT provider. What matters is having a good defense plan, knowing what you are going to do to get your business back up and running, and especially how are you will communicate this news to your different stakeholders.

A cyber breach makes everyone nervous, from the CEO to the MSP that’s trying to get your business back. With this guide, you’ll be able to create a communications plan for when this happens. Remember, the idea is for you to have this in place, test it, and be ready to use when the time comes.

Do You Need a Vulnerability Assessment?


Establish the Facts

Your people found a cybersecurity breach. They’ve implemented incident response protocol, isolated the systems affected by the attack, and they believe they’ve stopped it. The cross-functional team has been assembled according to plan, and now it’s time to find out what happened. What do you need to know right now?


  • When was the breach discovered? How was it discovered?
  • Which systems have been affected, and are they still functional?
  • Is there any immediate evidence suggesting data was stolen, deleted, or added?
  • Who or what was the target?
  • Who committed the cyber attack, and what is their motivation (could be internal or external)?
  • What type of attack was it? (common types might be credential stuffing, denial-of-service, phishing)


More than likely, not all the facts will be immediately available, but there needs to be urgency in gathering information. Leveraging security services from an outside firm such as Connecticut-based NSI  can help accelerate the discovery and fact-finding mission when every minute matter.


New call-to-action


Create a “War Room”

The urgency used in addressing a cyberattack is critical to successful remediation, and the actions taken in the hours and days following a breach can make or break a company.  By now you should have already gathered the team identified in your incident response plan. The next step is to create a “war room” for the cross-functional members of the response team to work together in real-time. Since there is always a chance of internal threat actors, the environment should be treated as private and confidential, limiting access to the response team and specific individuals (internal and external experts). The last thing you want is news of the incident getting out before you’re ready to share.


Identify the Audiences

There are two primary groups to address following a breach:


  • Internal Groups - anyone inside or closely tied to the company. Employees, business partners, investors and key stakeholders
  • External Groups - clients and the general public


Be conscious of who gets included in the internal groups. Someone not bound by NDA could quickly make your internal message an external one.


Craft your Message

Messages should be tailored by target audience and strike a careful balance between being transparent and sharing too much. Customers and the public need to know that something happened, how it affected them, and what the company is doing to remediate the issue. Sharing the gory details will not help the situation. Internal audiences should receive enough information to dispell any rumors that might arise from being too vague.

The most important component of the communication is to ensure it’s crafted in such a way as to retain the trust of those affected and let them know the company will do the right thing when faced with difficult situations like this one. In situations where large numbers of customers are impacted, many companies will retain the help of a PR firm to support them throughout the process.


Select your Spokesperson or Spokespeople

Appoint one or more people to represent the company for communication of information about the breach and corresponding response. This person should be comfortable dealing with the public and under less than ideal circumstances. Common appointees are PR and legal, but this person could also be a COO. They should be ready to invest some time into this activity and be available to provide status updates as they become available.

Many companies will immediately consider the CEO as the spokesperson in dealing with a breach. While this may seem like a logical choice to represent the company, there can be logistical challenges especially when a CEO is already busy. Putting forward someone more accessible and available will pay off in the long run.




Communicate your Message

Now that the messaging has been carefully crafted, and the spokespeople assigned, it’s time to communicate to the audiences. These are the most important things to know:


  • Timing is everything. Use a cascading messaging plan, starting with the most trusted and key stakeholders, working outward until the messaging goes out to the general public.
  • Not all internal stakeholders will simply acknowledge the situation and move on. Expect that at least one person from the internal audience will (intentionally or inadvertently) make information from the internal message external shortly after the communication goes out.
  • Most employees assume it’s OK to answer questions “off the record”. Take the extra step to let internal audiences know that everything is always on the record, and to redirect questions only to the designated spokespeople for the company. 
  • If there are concerns about media response, prepare written statements in advance. A good PR advisor can provide guidance on proactively approaching the media or letting them come to your company.


Monitor Journals and Social Media

The message is out and there’s no taking it back. Existing and prospective customers, business partners, and the rest of the world will all have an opinion on the situation and how it was handled. Some may be more vocal, while others may just have further questions. It’s normal for people to be upset when their trust has been broken. Answering questions for those affected, or the public in general, will help rebuild that trust. If you’re not already staffed with social media expertise, now might be a good time to explore contracting with a firm or a few key experts to help handle the load.


What Can I do Now?

Security breaches are inevitable. Recovering from the impact to IT systems is just a part of it. Being ready with the right response to internal and external audiences is the difference between restoring trust after it’s broken, or losing it forever. Get ahead of it and use this guide to build out your communication plan now so you’re not trying to catch up to it later.


New call-to-action

Request a One-on-One Tech Strategy Call with Amoeba

About The Author

Client Success Manager for NSI