Crisis management

Anticipating a cyber crisis: how to communicate in times of crisis?

How do you communicate internally during a crisis? Should the usual channels be used? And externally, how do we communicate with the press?
7 min

In our “Anticipating a cyber crisis” series, find the best advice and feedback from HarfangLab experts, as well as from CISOs and other players in the cyber ecosystem. The aim is to capitalize on experience in the field to enrich everyone’s knowledge. In this article, read the testimonials of Jean-Sylvain Chavanne, CISO at Brest Regional University Hospital, and Pierre-Yves Amiot, CXO at HarfangLab.


The importance of anticipating crisis communications

During a cyber crisis, it’s crucial to ensure good communication between all internal players. But these are not the usual methods of communication, and some adjustments will have to be made! Anticipating this factor not only helps you to act quickly and in a coordinated fashion, but also to protect the content of exchanges between stakeholders throughout the crisis phase.

You also need to prepare your crisis communications for the outside world, especially the press. Don’t neglect this aspect, which is fundamental to managing the risks to your organization’s reputation, and preserving the relationship of trust with your customers and partners.

Internal communication

Provide an alternative watertight IS

In the event of a cyber incident, the usual channels of communication between employees are highly likely to be compromised. For example, it may no longer be possible to communicate via Teams, WhatsApp, email, SMS… It is therefore necessary to plan an alternative IS to ensure fluid and secure communication in your crisis cells, with tools for collaboration, email and reporting.

Remember to keep this alternative IS up to date and to test it regularly: if your teams discover it on the day of the crisis, communication will be much more complex and slowed down, and every minute counts in times of crisis!

You can use dedicated crisis management tools for this alternative IS: there are SaaS solutions that offer common visibility over all crisis management processes, and via which you can communicate.

Pierre-Yves Amiot, CXO HarfangLab

“It’s important to understand the importance of sealing off this alternative IS. I’ve already seen the case of a customer who was carrying out an investigation following the detection of a security incident, except that the attacker had access to the crisis unit’s communication channels… The customer did have an alternative IS, but it wasn’t watertight. The result? All remediation actions were identified in advance by the attacker.” 


Jean-Sylvain Chavanne, CISO Regional University Hospital Brest

“During the crisis that affected the Brest Regional University Hospital in March 2023, we made no connection to the Regional University Hospital’s computers. We communicated by telephone. And if need be, we went through personal connections, on personal workstations.” 

Back to paper

Managing a cyber crisis means going into downgraded mode, and therefore reverting to very basic communication tools, such as paper! Typically, you’ll need an emergency paper directory. For example, if your website is no longer accessible, you’ll need to contact your web host: their contact should be handwritten in this document.

Standardize information flow

Every action, whether technical or strategic, must be documented and identified, to ensure traceability. The three key points to note every time are the answers to the questions: “Who, what, when?”. Even if you don’t think the information recorded is useful at the time, everything must be notified. In addition to ensuring standardized crisis communication, this will enable you to capitalize on the event later, and update your crisis management procedures.

Don’t forget that the technical team must remain focused on its primary mission, i.e. investigation and remediation. So set up a communication system that enables it to stay focused on its mission, and carry out actions one by one, in order of priority.

Consider dedicating a room to crisis management. It must be able to accommodate all the unit’s participants, with all the equipment at their disposal. Remember to hold daily briefings: technical briefings for remediation actions, and reporting to the management team.

Jean-Sylvain Chavanne, CISO Regional University Hospital Brest

“Within the strategic cell, we had set up a single channel for requests, forwarded to the technical cell, and we prioritized them (P1,P2,P3, etc). This method prevented the technical crisis unit from being swamped with requests from all sides.” 

External communications

Should you contact the press yourself if you are the victim of a cyber attack?

Many organizations fail to communicate the fact that they have been the victim of a cyber attack. In 2021, this was the case for around 90% of organizations that fell victim to ransomware, according to figures from Cybermalveillance.gouv.fr.

But failing to communicate or downplaying the facts exposes you to reputational risks. Indeed, samples of stolen data or evidence of the attack may be made public and reveal an attack you tried to hide, or contradict your official version. In such cases, it is clearly more difficult to regain the trust of the media and your customers and partners after the event.

In the event of an attack, every situation is different, and deserves to be communicated accordingly, but in general it’s best to focus on sincerity. Stay sober, factual, and show that you’re doing everything you can to manage the situation. By taking the initiative, you’ll also avoid letting false information spread. Depending on the evidence you have, you can give the date of the attack, the type of attack, its consequences, and the measures you have put in place (notification of the relevant authorities, remediation, etc.).

Designate a single person as your contact with the press, to avoid misunderstandings and control outgoing information. Don’t hesitate to arrange for this person to undergo media training: cyber crisis communication is a difficult exercise, and talking to journalists is not something you can improvise. Preserve your reputation by preparing this aspect in advance.

Jean-Sylvain Chavanne, CISO Regional University Hospital Brest

“On Friday March 10, 12 hours after the incident was discovered, the Agence Régionale de Santé (ARS) issued a press release. It is obliged to do so, as it is responsible for managing patient transfers if the facility is no longer able to provide care.

On the following Monday, at D+5, the Communications Department and I wrote a press release so that the local media could relay the news to patients: we had no way of communicating with them, since we no longer had access to the Internet! We provided a telephone number so that patients could contact us. We managed the rest of the crisis communication with two further press releases.

As far as press relations were concerned, we first had to defuse certain rumors: some people were saying that the plant was the victim of ransomware, but this was not the case. Subsequently, the press was rather benevolent, and helped us relay our messages.” 

In conclusion

  • Provide an alternative, watertight IS, and test it regularly.
  • Remember to communicate in low-key mode: paper, pencil and telephone are your best allies.
  • Standardize the flow of information through a single communication channel, for both strategic and technical units. Record ALL your actions.
  • Anticipate press fallout by training someone in charge of relations with journalists in cyber crisis communication, and avoid concealing the attack.

Would you like to find out more about our experience in anticipating a cyber crisis?

Follow our experts’ advice to prepare your information systems as effectively as possible.

I want to know everything!