Imagine coming to work on Monday morning, and you find out that your company’s email system is compromised. Hackers have access to every email account. Because of that they also have access to every user’s Slack or Microsoft Teams account, Skype for business, OneDrive, Sharepoint sites, the intranet. Your CRM. The company Twitter account. Every computer is likely running malware giving the hackers remote access. You can’t trust a single company computer or cloud account. Your company needs to handle this, and you need to talk to each other without the hackers knowing what is being said and who is talking. This is when you wish you had set up some other communication channels, ready to be used, that would not be compromised directly from the primary business systems.

Having an out-of-band communication channel for the day your IT systems are all compromised can be the difference between “handling the situation” and “chaos and bankruptcy”. Plan in advance.

There are many systems that can be used, but it will be really hard to get things going if it is not planned and set up up front. How do you get the message out what system to use, without revealing too much to the hackers, if you have to set everything up after your primary channels have been compromised?

  • Agree on a company level what system to use for out-of-band communications and set it up for the most important functions in the company.
  • Do not communicate about this system within the normal channels. Transfer the information on paper, or face-to-face. That way the bad guys won’t so easily find out what the next target should be once the primary systems have been compromised.
  • Choose a system that has strong security features, like Signal or WhatsApp.
  • Set up the necessary groups, e.g. for security, top management, external comms.
  • Evaluate if you need to include external partners in your out-of-band communication protocols. These may be consultants, PR agencies or perhaps the insurance company?

Also, knowing who to reach out to for what, is important in a difficult situation like this. If you are used to relying on a company directory service or intranet page for this, you may be out of luck during a cyber attack. Keep the most important information available on paper for a rainy day – including emergency contacts, phone numbers, communication and escalation protocols.

In fair weather prepare for foul.

Thomas Fuller

Leave a Reply