Good crisis communication helps the authorities to position themselves as a central and trustworthy source of information and prevent speculation, indiscretions and false reporting. Cyberattacks therefore require prompt, coordinated and well-thought-out crisis communication in order to reassure and regain the trust of stakeholders. This is a particularly challenging endeavour in the case of cyberattacks due to their technical complexity and the fact that the available information is often incomplete. In the event of an incident, those responsible must react quickly and respond to changing circumstances in real time. The coordinated flow of information, both internally and externally, requires regular consultations with all stakeholders. Sensitivity to emotions, transparency and the willingness to admit mistakes are important prerequisites in crisis communication.
Incident disclosure
In the event of a cyber incident, the crisis management team must decide whether, when and how news of the incident should be disclosed. As a general rule, early, proactive and transparent communication with stakeholders is more effective than sitting out the crisis or trying to conceal it. The following points should be taken into account when determining the right time for disclosure:
- Interests of the police investigation: Does the disclosure of the incident jeopardise the police investigation and forensics?
- Status of information: Is the available information accurate and has it been verified?
- The following principles apply: internal communication before external communication, authorities informed before the media. Early communication helps to shape public perception of the crisis.
Principles of crisis communication
- In the event of an incident, different agencies often provide information to the public at different levels. To ensure that all agencies speak with one voice, all those involved must be aware of the true facts of the incident and the official wording. This must be agreed before the public is informed.
- State only the facts.
- The public does not know the exact circumstances of the crisis or what has been agreed internally. It is therefore important that the authority concerned communicates quickly and regularly and positions itself as a central and trustworthy source of information. This means that there is no room for speculation, indiscretions or false reporting.
- When providing information, care should be taken to use language that can be understood by the general public. If the cyberattack took place in a bilingual commune/canton, information should be provided in both official languages.
- Concerns regarding security of data, goods and services must be taken seriously. It is important to show empathy.
The three phases of crisis communication
Crisis communication in the event of a cyberattack can be divided into three phases:
Phase 1: Information about the cyberattack
Phase 2: Information about steps taken to deal with the cyberattack
Phase 3: Information about the conclusion of steps taken to deal with the cyberattack
The core messages should remain the same throughout the three phases:
- The commune of (NAME) has the situation under control and has initiated the necessary steps.
- The top priority is to safeguard and ensure the integrity of data relating to the public, our employees and partners.
- The commune of (NAME) is investigating the incident and is working with the cantonal police and relevant IT service provider to find out the source and extent of the incident.
- The commune of (NAME) will provide information transparently and promptly in the event of new findings.
In collaboration with the cantons of Zurich and Vaud, the National Cyber Security Centre has drawn up templates for crisis communication for communes in the event of a cyberattack.
Templates for Q&A for media enquiries
Templates for media releases about ransomware attaci
Templates for media releases about DDoS attacks
Links to further information:
Last modification 01.01.2024
