Cybersecurity blog header

Getting up before you fall: how to manage a cyber crisis

Cyber crisis management needs highly qualified professionals

Cyber crisis management and communication, clearly inseparable concepts, are also undergoing change. The question here is whether the rules, the game board or both are being reinvented

Like every day, Tom got out of bed and repeated the ritual. He chiseled his torso with 50 push-ups, made himself an espresso in his brand new Italian coffee machine, and checked his email on his tablet. There was a strange message from JP Morgan Chase, the bank where he managed his investments. He opened it and was stunned. The email showed the entire financial history of a stranger: balances, account numbers, transactions… At that moment, Tom was still unaware of the situation he was living in, he had become one of the thousands of protagonists of one of the most talked-about cyber crisis of recent years.

The investment giant was rocked at the end of August by a massive data leak that undermined its waterline: its reputation and, by extension, that of its customers. Especially those with large fortunes, who are particularly zealous about keeping details of their movements and bank statements safe.

JP Morgan was in the midst of a major crisis, but it was not the only corporate player in this situation. T-Mobile, The Phone House, Facebook, most recently Twitch… Anyone could be next. The same cliché that haunts those of us who are lovers of two wheels reigns here: there are only two types of drivers, those who have fallen and those who are going to fall.

In this context of blows and more blows, a shortcoming has also become evident: communication and crisis management literature focuses on episodes that have little or nothing to do with the digital dimension that dominates our reality as people and organizations.

Crises indeed generate panic, and this may be another of the reasons why, even with the best preparation, there are companies that ignore their contingency plans when they are in the midst of a cyber crisis, but this issue deserves its debate.

The web is ubiquitous, asynchronous, and delocalized. Existing manuals, on the other hand, are overwhelmingly based on analog solutions. This is something we cyberintelligence professionals have very much internalized.

Facebook servers down

Noise is as exponential to the size of the organization as it’s the enemy of its proper management. Recent history is very illustrative. Facebook, for example, has been the protagonist of an incident that will remain in the collective memory for some time.

A technical blunder left Facebook, Instagram, and WhatsApp without service for almost a day. Real torture for its more than 3.9 billion users. A cyber crisis was also fuelled by the company’s lukewarm response during the most critical hours.

Reputational crises, in general, always call for a pause, but reality forces us to reflect and, without interruption, to execute.

Probably not even the best contingency plan could have saved them from being burned. True. But was there a better way to manage communication at the time? Suffice it to recall that this eventuality resulted in a stock market loss of 5 billion dollars, penny up, penny down.

A cyber crisis communication plan must be a versatile instrument. Transversal and flexible. A detailed map of actions in different areas and at multiple levels.

A tool that combines widely theorized analog elements and other new-generation elements marked by accelerated innovation. Of course, the constant emergence of new platforms and technological solutions and conditioned by behavioral changes in stakeholders and their demand for information.

It’s more than a declaration of good intentions. It’s «arming for war».

Following the differentiation of scenarios in which action must be taken in a cyber crisis, the CCN-CERT itself differentiates between the operational (technical) response to the incident and the strategic response. It’s in the latter area where communication takes on maximum relevance.

Having a single spokesperson to lead the response is key in a cyber crisis

The spokesperson

Faced with a critical scenario, a credible, transparent spokesperson must be designated, with sufficient attitudes and aptitudes to face the wall to which he or she will be subjected.

This spokesperson can be a spokesperson for multiple actors who are skilled in the organization’s different communication channels. Writing tweets is not the same as issuing a communiqué to shareholders, but always, always, under a single command. Under a clear guideline of what, how, and to whom to communicate. The balance has to be established from minute zero, despite the different aspects that may be acquired by the interlocutions.

It’s well known that his role doesn’t end here, as he must be as good a communication strategist as he is a cornerstone in the organization. Thus, preventing the generation of the distance between the general manager, and what is being discussed there, and his work. In terms of accountability, internally, there can be no noise.

The commandment of a single spokesperson comes from analog times, but his or her role is radically different in this era, both in terms of what he or she has to know and what he or she has to do.

Variables such as the architecture of participation or the decentralization inherent to the Internet completely transform the way of communicating. The journey today is horizontal, not vertical.

The answer

Another mantra from the analog era is transparency: don’t lie. Never lie. Lies have very short legs. It has always been that way, but in the digital realm, actors eager to verify a story are everywhere. Don’t facilitate another crisis.

It’s better to be imperfect, to admit mistakes. Honesty and integrity are emerging values. Transparency and rigor have proven to be effective in restoring trust. Assume your responsibilities.

If crisis management has traditionally been characterized by a good dose of silence (this doesn’t mean that it was not measured or timely), silence or inaction in the digital environment can be a big mistake. Transparency also implies communication and maintaining activity at critical moments is evidence of reliability.

Being open can also lead to instant criticism, but the short term is fleeting and the ultimate reward in our credibility and reputation will be much more tangible.

Of course, the single discourse must also be modulated over time. An optimal response time must be foreseen for the different communication needs that may arise in a cyber crisis.

The channels

Know and use all the channels available to you depending on the scale of the incident and its seriousness. Forums, information websites, chatbots, call center services, corporate channels… Take into account the different stakeholders likely to demand information and make it easy for them. Crises are not avoided, they are led.

It’s not about talking for the sake of talking, but about being available. Don’t turn off the light. The best scenario in which you can be immersed in a cyber crisis is that the information comes from your organization.

The horizontal and asynchronous nature of the Internet complicates cyber crisis management

The message

Well, it’s not necessary to give details of the incident, much less in phases when this information shouldn’t be disseminated. We may not even be aware of its magnitude, but we must be aware of the vulnerabilities of our organization, the map of stakeholders, and the different information strategies with them.

We must know our weaknesses better than those who may eventually try to undermine our integrity and have the necessary messages pre-designed. We must also be aware of the expectations to be met by those who legitimately, or not, demand information from us.

And again in this area, the digital environment expands the variables to be considered. The ubiquity of communication channels and the relevance of civil actors as generators of public opinion mean that our communications spectrum must be broadened and adapted to a greater variety of possible messages and channels.

Understanding the impossibility of controlling the route that the message will take once it’s broadcast is also a variable to be taken into account in digital crisis management.


Traditional crisis management has had an indisputable ally, the carrying out of periodic simulations in the face of possible previously cataloged crises.

However, in the digital world, this practice is not an obligation. An absence that will surely be swept away by recklessness, work that tries to warn that this goes beyond a catalog of good intentions and the odd legislative blow on the table.

Ransomware attacks, data leaks, internal fraud… The aim of the drills is none other than prevention. Crises are prepared for in times of calm.

We must test systems, equipment, procedures, different configurations, and action plans. We must train people. The human factor will ultimately be the one in charge of triggering each phase, the one who will bring the situation back to normal. Their work has to be scheduled and assembled.

In this scenario, cyber-intelligence services are an extremely useful weapon to face the challenges of a radically different and disruptive era.

Operational simulations, table top exercises, crisis committee activations… Testing ourselves is the best way to clearly identify and measure our vulnerabilities. And in security, measuring means being able to manage.

Discover our work and cyber intelligence services at