Stay Ahead of Ransomware: Communication During a Cyber Incident

On the May 2025 episode of the SANS Stay Ahead of Ransomware livestream, we explored the critical role of communications during cyber incidents with special guest Kelly Miller, Managing Director at FTI Consulting. With extensive experience leading communications responses for high-profile data breaches, Kelly provided valuable insights on how to communicate effectively before, during, and after a ransomware incident.

The Communication Imperative in Cyber Incidents

Kelly emphasized that while organizations are no longer harshly judged simply for experiencing a breach, they are scrutinized for how they handle the response. Around 2020, when ransomware attacks became more prevalent, the focus of media criticism shifted from technical security failures to communication deficiencies—specifically, how clearly organizations communicated and how quickly they responded.

We discussed how every organization has its own personality when responding to incidents, with some being more transparent while others take a more conservative approach. Kelly stressed that communication plans must be tailored to each organization's unique culture and audience needs.

Preparedness: The Foundation for Effective Crisis Communication

A key theme throughout our discussion was the importance of preparation:

• Establish relationships before incidents occur: Build connections between IT/security teams and communications, legal, and executive teams.
• Create communication protocols: Develop approval processes, call trees, and clarify who needs to be involved in communications decisions.
• Conduct inclusive tabletops: Include representatives from various departments, including communications and PR teams.
• Build media relationships: Establish rapport with reporters who cover cybersecurity before an incident occurs.

Initial Response: Internal Communication Priorities

When an incident is first detected, Kelly recommended:

• Be honest early: Build trust by being transparent about what is known and what isn't yet known.
• Focus on operations: Clearly communicate what systems are and aren't working to reduce uncertainty.
• Address immediate concerns: Anticipate and answer key questions, like "Will payroll be affected?"
• Lead with empathy: Remember that emotions run high during incidents, and people may fear for their jobs.
• Provide clear guidance: Give employees specific instructions on what they should and shouldn't communicate externally.

External Communication Considerations

For communicating with external stakeholders, we discussed:

• Law enforcement engagement: Cooperate with law enforcement while being cautious about what information is shared. Building relationships with your local FBI field office before an incident can be invaluable.
• Media management: Understand media cycles and how ransomware fatigue has changed reporting patterns.
• Consistent messaging: Ensure all communications tell a consistent story across channels and audiences.
• Audience-specific approaches: Different stakeholders need different types of information—tailor messaging accordingly.

Who Handles Communications When There's No PR Team?

Many organizations lack dedicated PR resources. Kelly suggested general counsel often serves as a good point of contact for communications, as legal strategy should guide all external messaging. Additionally, HR or marketing teams can play important roles, but collaboration across departments is essential.

Common Communication Pitfalls

We explored several ways communication can go wrong:

• Social media leaks: Employees sharing information on personal accounts can create confusion and be picked up by news outlets.
• Information vacuums: Without official information, people will fill in the blanks with assumptions.
• Inconsistent messaging: Different stakeholders receiving different information creates chaos and legal risks.

To mitigate these issues, Kelly recommended providing employees with clear guidance on what they can say, reminding them of social media policies, and explaining why consistent messaging matters.

Learning More and Looking Forward

To learn more, we recommend that you watch the May 2025 episode of the SANS Stay Ahead of Ransomware livestream. You can find the episode on YouTube here.

You can also review the SANS Stay Ahead of Ransomware livestream playlist on YouTube here.

Join us on the first Tuesday of each month at 1:00 PM Eastern | 10:00 AM Pacific to take part in the SANS Stay Ahead of Ransomware show. Also, mark your calendars for our upcoming SANS DFIR Summit 2025 starting on July 24, 2025 (which includes online FOR528 training with Ryan following the Summit).

To learn more about preventing, detecting, and responding to ransomware, please check out our SANS FOR528: Ransomware and Cyber Extortion course at https://sans.org/for528.