• United States




Alternative communications planning and cybersecurity incident response

Apr 09, 20186 mins
Data and Information SecurityDisaster RecoveryIT Leadership

Cyberattacks can happen for a whole variety of reasons. No company is entirely safe. And these days, when digital communication is so vital to the basic operations of a company, incorporating a messaging strategy that takes into account business, legal and regulatory requirements should be a priority.

communication understanding executives phone diversity
Credit: Thinkstock

There seems to be no end in sight for ransomware and malware attacks after the spike in high-profile incidents last summer. This includes the Wannacry ransomware strike in May 2017; PetWrap/NotPetya attacks in June; the identification of “BlackOasis” through an Adobe Flash vulnerability in October; the explosive revelations of the Equifax breach; wireless security protocols that need to be patched; the Meltdown and Spectre bugs in processor chips; and most recently the Cisco Adaptive Security Appliance vulnerability, among others.

Many companies are now rightfully revisiting their incident response (IR) protocols to prepare themselves for future attacks. More and more regulatory requirements dictate that organizations must have a written IR plan. While an IR plan is just one piece of a larger, more complex cybersecurity program, it is nevertheless a critical component and one that many regulators are closely scrutinizing. Apart from the legal, reputational and regulatory risk, ransomware attacks can disable entire global businesses for several days making IR plans business critical.

One key but often-overlooked component of an IR plan is a backup communication method. If attackers completely disable a corporate email server or are even simply monitoring those emails, alternate forms of communication become crucial for managing the incident, attempting to keep the business functioning and minimizing the productivity lost as a result.

A few years ago, cybersecurity professionals might have been labeled as agitators or just plain paranoid for proposing the communications version of a storm shelter emergency kit. Even though this arguably goes above and beyond routine practices, it is exactly prudent given recent system-wide ransomware attacks. These protocols, if properly executed, will also help bolster a company’s defense posture if facing civil legal actions and regulatory investigations following a ransomware attack.

Cyber emergency response kit: first steps

Implementing a robust plan for alternative communications has many benefits: (i) assembling a core team quickly at a moment’s notice – even if email is temporarily inaccessible; (ii) triaging to implement protocols to handle the intrusion; (iii) ensuring that senior leadership remains apprised of the situation; and (iv) complying with any sector-specific or EU General Data Protection Regulation (GDPR) mandatory notice obligations as soon as possible, not only for breach notification requirements under various new pieces of legislation but also to engage assistance from law enforcement. Another potential benefit is the ability to communicate with customers or clients in real time about the impact of the breach, being mindful of the balance of keeping customer contact information secure while intentionally storing them outside of the company’s systems.

There are many important steps to take well in advance of drafting the exact protocol. Firstly, forming an IR team. In the same way that any other emergency situation will have a designated team to guide others within the company, so should a cybersecurity response team be created. Secondly, an assessment should be undertaken to identify the most immediate needs the business will have after a cybersecurity attack, which will obviously range from business to business and industry to industry (not to mention between breaches depending on their severity). Having an external party with an arms-length view of the potential threats and business risks could be beneficial. Third, more general response protocols should be in place and tested through mock exercises (sometimes referred to as “tabletop” exercises). Plans and mock exercises should include meeting locations where for senior leadership and staff should meet in the case of a breach.

Once these steps have been taken, an ancillary alternative communications strategy should be created and shared to the small core IR team that had already been identified and trained. This, unlike the more general plans, should not be stored on the company’s network or computers that could not be reached if corporate systems are down. Attackers may have access to emails, intra-company messaging services, control over computers or other devices including smartphones that employees access, so alternatives will need to be in place for each for the core response team.

Cost-efficient options

An alternative communications ‘emergency kit’ does not have to be sophisticated – in fact, the more user-friendly and basic, the better.  Many relatively low-cost options exist for purchasing basic laptops or tablets. Attacks may also intercept corporate network traffic, so consider hotspots that are not on the regular ISP service accounts that are preloaded onto the backup laptops or tablets. 

In addition, there are numerous free email accounts that offer two-factor authentication. This requires a user must input a second secret phrase or number in addition to his or her password.  Frequently, free email services enable user to have a code texted to a number that the user would input after the password. The added security benefit is that the email account can only be accessed by someone who knows the password and also has the phone associated with the account.  Generally, even if an attacker has stolen a user’s email password, he or she would still not be able to access the email account without access to the phone as well.

Email accounts created solely for this limited purpose should only be shared among the core team and the list distributed in hard copy or handwritten cards (or, better yet, pre-loaded onto the backup computers). Core IR team members and senior leadership should consider purchasing inexpensive non-smart phones with prepaid service or well-reputed phone-call apps with encrypted call options. The best option will depend on a company’s landline phone system and existing mobile phone devices. It will be important to seek advice from security experts to determine the best alternative communications plans and equipment.

Litigation and regulatory enforcement

Future litigation regarding data breaches is possible, especially if a company did not take necessary precautions. Counsel will advise a company on litigation hold requirements, but in general it is important not to destroy anything following a breach. Alternative communications would be subject to the same litigation hold requirements as regular company communication methods and can help a company to demonstrate that they had taken measures to counter any potential breach.

In addition, a company may be subject to many legal and regulatory requirements regarding breach notification. For many in the security community, one of them more concerning aspects of the GDPR, which has extra-territorial reach outside of the EU, is that notification to relevant regulators must normally take place within 72 hours of when the company (either the data controller or processor) becomes aware of the breach. While many who have worked on breach responses are rightly concerned by the ability to meet this sort of timeline, having alternative communication methods will at least allow for the possibility of doing so.

Taking these steps now will ensure that a company is well-prepared if the worst happens. In an age where attacks can happen for a whole variety of reasons, no company is entirely safe. In a digital age when digital communication is so vital to the basic operations of a company, incorporating an alternative communications strategy that takes into account business, legal and regulatory requirements should be a priority.


Tara Swaminatha is a partner at Squire Patton Boggs, focusing on cybersecurity, litigation and white collar investigations. Tara has acted as outside cybersecurity counsel on some of the most significant data breaches in recent years and has defended clients against federal, state and international regulatory actions and related litigation.

During her time in private practice, Tara has advised multinational companies on cybersecurity liability risk assessments, internal compliance measures and incident response protocols. In the instance of security or privacy incidents, Tara led an incident response effort and served as her client’s subject matter expert. Her extensive knowledge of how digital evidence may be used to prove facts litigation in security incidents has enabled her to minimize her clients’ litigation exposure during incident responses, investigations and data breaches.

At the Department of Justice (DOJ), Tara directed technical forensic investigations for federal law enforcement agencies, assisted prosecutors and investigators across the country with computer crime-related cases, and prosecuted IP crimes to combat massive online piracy of entertainment software, motion pictures and business software. Adding to her legal dexterity, Tara’s clients benefit from her technical understanding of cybersecurity methods and issues, having been the Information Security Administrator for the International Finance Corporation (IFC), part of the World Bank Group, built networks and conducted application security risk assessments while working at a boutique security firm prior to becoming a lawyer. Tara helped implement the IFC’s first information security policy for 3,000 employees worldwide.

In addition, Tara commits to considerable pro bono and volunteering activities. She represents pro bono juvenile clients seeking asylum and represents the National Association for the Education of Young Children on data governance and other matters. An active member of her community, she is a board member for the Hearing & Speech Center at Children’s National Medical Center and helps mentor families with children with hearing loss.

Tara is a frequent speaker on and writes extensively on security, privacy and cybercrime issues, having written one of the first textbooks on wireless security privacy and contributed to the National Association of Corporate Directors' Handbook on Cyber-Risk Oversight (2017 edition). She serves as an Adjunct Professor at George Mason University Law School where she teaches Computer Crime Law. She was named a Cybersecurity Trailblazer in 2017 by the National Law Journal and one of the leading cybersecurity incident response professionals as part of the “Incident Response 30.” She was also recognized in The Legal 500 for Cyber Law, where she is “commended for her experience in high-profile data breach investigations and “understands forensics and is able to digest technical reports in a meaningful and actionable way.”

The opinions expressed in this blog are those of Tara Swaminatha and do not necessarily represent those of Squire Patton Boggs or of IDG Communications, Inc., its parent, subsidiary or affiliated companies.