In the first few hours after detecting a serious cybersecurity incident, the company's incident-response team receives multiple questions from journalists. According to widely accepted crisis-communication guidance, what is the most appropriate way to handle these initial media requests?
Release a technical blog post that details the suspected attack vector and indicators of compromise to demonstrate transparency.
Refuse to comment publicly until the digital forensics and root-cause analysis are fully completed.
Allow each affected business unit to answer media queries directly so information can be shared more quickly.
Publish a brief holding statement acknowledging the incident and stating that an investigation is under way.
Best practice is to publish a concise holding statement that confirms an incident has occurred and that an investigation is in progress. This approach acknowledges the situation without locking the organization into details that may change and avoids speculation that could later undermine credibility. Withholding all comment until forensics are complete, releasing technical indicators immediately, or allowing disparate business units to respond independently all increase the risk of misinformation or inconsistent messaging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is a holding statement essential during a cybersecurity incident?
Open an interactive chat with Bash
How can inconsistent messaging harm an organization during a crisis?
Open an interactive chat with Bash
What are the risks of sharing technical details about an incident too soon?