Incident response is in the spotlight again, and for many good reasons. This year alone we’ve seen significant ransomware incidents involving Munster Technological University and ION Group. Further afield, Royal Mail’s overseas parcel delivery suffered widespread disruption after a ransomware infection in January.

We rely more than ever on technology. When it doesn’t work or we can’t access it – which is what makes ransomware such a big threat – the potential effect is enormous. This explains why the World Economic Forum’s annual Global Risks Report ranks cybersecurity risk so highly.

As I wrote in a recent opinion column, I believe it’s one of the most valuable reports a cybersecurity professional can have, because it helps them to aim messages at the board. And one of the biggest messages they need to hear right now is: what’s our plan for a major incident?

Many businesses and public sector agencies already have business continuity plans and crisis communication playbooks. But, they often tend to focus on traditional crises like natural disasters; events that would force an office to close for a time, or disrupt service in other ways.

Now’s the time to upgrade these crisis plans by integrating cybersecurity incidents into them.

Honan’s Law

I called this effect (tongue partly in cheek) Honan’s Law: organisations won’t be judged for having a security breach, but they will be judged for how they respond to it. To me, refusing to release details claiming that investigations are ongoing – as Royal Mail did – makes no difference to stakeholders. That’s especially true of a public service that has responsibility to the state, and taxpayers to be as transparent as possible.

We’ve blogged about the need to have response plans for times like public holidays, since that’s often when incidents happen. Now let’s focus on a vital but often overlooked element of any plan: communications.

Organisations that have been affected by a cybersecurity incident need to get a message across clearly and concisely. The language may vary depending on the audience it needs to reach. These audiences might include:

• The public: so the message needs to be simple and easy to understand
• Staff: there could be workarounds, overtime, or other changes to ordinary business practices during any disruption. Friends, families, and possible journalists may be asking what’s going on, so there needs to be the same story coming out from the organisation. Be aware that staff will be under stress and worried about the impact on their jobs.
• Board of directors: proper communication should help them understand what’s happening, give confidence in the steps being taken, and provide oversight of the response
• Regulators and other agencies, possibly the police: what do you need to report, and how? Are you at risk of saying something that could leave you legally exposed later on?

It’s easier to invoke a plan that’s already in place, with some alterations, than to have to design one from scratch. And the best time to update that plan is before you have an incident, not during one.

This is (not) a Test

We always stress the importance of testing an incident response plan before needing to do it for real. The same is true of communications. Ideally, you should have pre-planned any communiques because the time when you’ll need to use them is in the middle of a highly pressurised crisis environment.

In tandem with that, develop relationships with law enforcement and any other regulatory bodies that you may have to deal with, so you know who to contact and how to engage with them. Under certain regulations like the EU GDPR, you’re legally obliged to inform regulators if a breach meets certain thresholds. If you already have an established relationship in place with regulators or police, you can run things by them in advance. For instance, you can ask: “this is the type of communication we intend to publish, are you ok with this?”

It’s worth repeating: I believe that being open and transparent won’t compromise any investigation. On the contrary, the reputational damage could be greater if a spokesperson is poorly briefed or delivers the wrong message. Remember TalkTalk’s data breach in 2015? The then CEO Dido Harding did the rounds of media outlets but her cringe-inducing interviews reassured no-one.

Then there was the infamous Ashley Madison breach, also in 2015. For days, the company denied any hack, despite it being publicised online. And to make matters worse, the company’s early message basically amounted to: “don’t worry, your credit card details are fine”. For a website claiming to offer discreet extramarital affairs, that wasn’t the information its customers were worried about!

Law of the land

Good communication, together with a well formulated incident response, isn’t just a nice to have. In some industry sectors, the ability to respond and recover quickly to an incident is becoming a legal requirement. From Q1 2025, financial services companies must comply fully with the Digital Operational Resilience Act (DORA). It’s the first piece of EU legislation that specifically addresses the need for digital operational resilience and cybersecurity for the sector. Among the Act’s requirements is a need to have appropriate reporting processes.

We should be way past the time when cybersecurity threats get equal billing with other disruptive events. Fortunately, business leaders and boards are more receptive to these messages than ever. New research from the Institute of Directors in Ireland has found that 70% of business leaders and directors are extremely or very concerned about the potential impact of cyber security threats to their organisation’s business continuity.

Asked if their organisation has a cyber security incident response plan in place, 81 per cent respondents said yes. The remainder – almost one in five – either don’t have a plan (16 per cent) or, more worryingly, didn’t know (3 per cent).

So clearly, there’s work to do. And it starts with a good incident response plan, combined with a carefully developed communications strategy.

Brian Honan is CEO and founder of BH Consulting.