Kaspersky Incident Communications

In case of a cybersecurity incident, whom should you communicate with inside the company? Which channels should you use — and which ones should you avoid? And how should you react?

I remember that day like it was yesterday: Our CEO called me into his office, asking me to leave my smartphone and laptop at my desk.

“We’ve been hacked,” he said bluntly. “The investigation is still ongoing, but we can confirm that we have an active, extremely sophisticated, nation-state sponsored attacker inside our perimeter.”

To be honest, this wasn’t totally unexpected. Our specialists had been dealing with our clients’ security breaches for quite a while already, and as a security company, we were a particular target. Yet, it was an unpleasant surprise: Someone had penetrated an information security company’s cyberdefenses. You can read about it here. Today, I want to talk about one of the key questions that arose immediately: “How do we communicate about it?”

Five stages of learning to live with it: Denial, anger, bargaining, depression, and acceptance

As it happened, pre-GDPR, every organization actually had a choice — whether to communicate publicly or deny an incident had even occurred. The latter wasn’t an option for Kaspersky, a transparent cybersecurity company that promotes responsible disclosure. We had consensus throughout the C-suite and started preparing for the public announcement. Full steam ahead.

It was the right thing to do, too, particularly as we watched the widening geopolitical rift and saw clearly that the mighty powers behind the cyberattack would definitely use the breach against us — the only unknown elements were how and when. By proactively communicating the breach, we not only deprived them of this opportunity, but we also used the case in our favor.

They say there are two types of organizations — those that have been hacked and those that don’t even know they were hacked. In this realm, the paradigm is simple: A company shouldn’t hide a breach. The only shame is in keeping a breach from the public and thus threatening customers’ and partners’ cybersecurity.

Back to our case. Once we established the involved parties — legal and information security teams versus communications, sales, marketing, and technical support — we began the tedious work of preparing the official messaging and Q&A. We did that simultaneously with the ongoing investigation by Kaspersky’s GReAT (Global Research and Analysis Team) experts; involved team members conducted all communications over encrypted channels to exclude the possibility of compromising the investigation. Only when we had most of the A’s covered in the Q&A doc did we feel ready to come out.

As a result, various media outlets published almost 2,000 pieces based on a news break we initiated ourselves. Most (95%) were neutral, and we saw a remarkably small amount of negative coverage (less than 3%).  The balance of coverage is understandable; the media had learned the story from us, our partners, and other security researchers all working with the right information. I don’t have the exact stats, but from the way the media reacted to the story of a ransomware attack against Norwegian aluminum giant Hydro earlier this year, it seems the handling of those news stories was suboptimal. The moral of the story is, never keep skeletons in the closet.

Lesson learned — and passed on

The good news is that we’ve learned from the 2015 cyberattack not only about the technical capabilities of the most advanced cyberthreat actors, but also how to react to and communicate about the breach.

We had time to investigate the attack thoroughly and learn from it. We had time to pass through the anger and bargaining stages — I mean, to prepare the company for what we were going to say to the public. And the entire time, communication between the cybersecurity folks and corporate communication experts was ongoing.

Today, the time frame for getting ready for a public announcement has shortened dramatically: For example, GDPR requires that companies operating with customer data not only inform authorities about security breaches, but do so within 72 hours. And a company under cyberattack has to be prepared to go public from the very moment they inform the authorities about it.

“Whom should we communicate with inside the company? What channels can we use, and which should we avoid? How should we act?” These and many others are questions we’ve had to answer during the ongoing investigation. You may not have the luxury to work out these questions by yourself in the short time you have at your disposal. But this information and our valuable experience form the foundation of the Kaspersky Incident Communications Service.

In addition to standard training by certified communication specialists covering strategy and advising on external messaging, the service provides opportunities to learn from our GReAT experts. They have up-to-date information about communication tools and protocols, and they can advise you on how to behave in a breach situation.