During the immediate aftermath of a security breach, how much information am I required to give to other people working in the company? As a security professional, do I just need to let them know how business operations will be affected, or should I let them know details of the breach so they know what might have been compromised and where to be careful?

Requires Free Membership to View

When thinking about incident response, communication is critical. Organizations need to think about communication in two phases. The first phase takes place during the incident; say as little as possible because it may be unclear who is responsible, and giving away too much could impede a possible investigation. Send out a blanket statement saying there has been a security breach, it's under investigation and the company will have an official statement as quickly as possible. The people that are directly affected need to understand how and what they should be doing, but until the storm blows past, keep a tight lid on information.

In the aftermath of a security incident, it's wise for organizations to do a formal post-mortem. This is the second phase of communication. Employees need to understand what happened, who was responsible and, most importantly, what new processes and/or controls should be implemented to make sure it doesn't happen again. A big part of these lessons learned is to communicate to the staff at large.

Don't point fingers or make an example of anyone, but do use the security incident as an internal case study; it's a great example of how to leverage something current and timely to educate employees. Alternatively, consider using another company's breach as an educational device. Of course, that won't be as timely or effective, but at least it won't be coming on the heels of the company's own breach.

More information:

This was first published in May 2008