Raising awareness of the threat posed by cyberattacks

KonBriefing Research would like to positively highlight the companies and organizations that provide a high level of transparency in the event of a cyberattack by maintaining good public communication. Because this increases awareness of the danger and knowledge about it among others - and hopefully leads to more prevention. To do this, we assess the communication in three categories or phases:
  • Direct: The communication immediately after a cyber attack.
  • Up-to-date: Updates in the following period
  • Sustainable: Final communication

Direct: Communication immediately after a cyber attack

This is about the first 2 to 3 weeks. In this phase, the scope and impact of the attack cannot yet be estimated, or only roughly. Nevertheless, the affected organizations can name the incident itself.
Criteria in the assessment
  • Was the cyberattack communicated publicly?
  • How soon after the incident was it communicated?
  • How visibly was it communicated?
  • What information was given?
Positive aspects
  • Clear naming of a cyber attack
    (at least after a few days it should not just be "technical problem")
  • Short time between discovery of the attack and first report
    (ideally: a few hours)
  • Time of the incident or discovery is mentioned
  • Notices are placed prominently on the website
    (ideal: home page at the top)
  • The attack is communicated on the organization's social media channels
  • There are indications of the basic nature of the attack
  • Initial measures are mentioned
  • Contact persons are named
  • There are updates in the following days
  • Top: There are official impressions from inside the organization on the current situation

Up to date: Updates in the following period

During this time, the chaos created by the attack calms down. The affected organization gets more concrete impressions of the extent of the damage and the data that was hacked.
Criteria in the assessment
  • Is updated information on the cyber attack published?
  • Are there estimates of what data was accessed and what the impact is?
  • Is there information on the status of the reconstruction of the IT systems?
  • Are there estimates of the costs to deal with the attack and its consequences?
Positive aspects
  • There are regular updates
  • Knowledge about impacts that grows over time is named
  • There is information about whose data is affected
  • There is guidance on what affected individuals can or should do

Sustainable: Final communication

The forensic investigation of a cyber attack usually takes many months. At this point, more concrete figures on damage and consequential costs are often available. Does the affected organization report on this? Does it give other organizations the opportunity to learn from it?
Criteria in the assessment
  • Were final investigation results presented?
  • Has a forensic report been published? (happens extremely rarely, but there are individual exemplary cases).
  • Were the measures presented that were taken to prevent such incidents in the future?
  • Is there information on the damage done and the cost of recovery?
  • Is the information presented in a way that other organizations can learn from?
Positive aspects
  • There is a final assessment of the incident
  • The assessment has adequate depth so that other organizations can learn from it
  • The attack vectors are described
  • Actions taken to contain and manage the attack are described
  • The timeline of the incident is identifiable
  • The technical impact is described: e.g., number of computers and users affected
  • Data privacy implications are described: e.g., number of records exposed, type of data
  • Business implications are described: e.g., costs incurred, loss of revenue
  • Measures are described to prevent such incidents in the future.
  • Top: The company's own weaknesses that facilitated the attack are identified.
  • Top: It mentions early indications of an attack that were ignored.
  • Top: There is a forensic report or excerpts from it, at least upon request.
  • Top: There was a lecture for interested parties
  • Top: The lecture is publicly available as video or text

How is it rated?

Organizations that do a particularly good job of communicating in a category are recognized in the tiers, which are shown in the respective entry::
  • ⭐⭐⭐ very good
  • ⭐⭐⭐⭐ excellent
  • ⭐⭐⭐⭐⭐ outstanding
Taken into account are the aspects mentioned in the category. However, these cannot be applied as an absolute standard, but must always be considered in the context of the organization and the situation, because ...
  • If a cyberattack happens on a weekend - which is often the case with ransomware attacks - it can take a day or two longer for the first piece of information to be released, even with good communication intentions.
  • Small companies and organizations that do not have a dedicated resource for each task may not be able to communicate as quickly and comprehensively, even with good intentions.
  • There is a much greater need for public information in the B2C sector and among public institutions than in the B2B sector.
  • Listed companies must provide information on this depending on the impact, so they may not have a choice.
  • It is understandable and legitimate that companies operating on the market do not publish all details in order not to give undue advantages to the competition, especially in the B2B sector.
  • Public institutions usually communicate a cyber attack immediately because it is part of their job and because they do not have to fear any negative consequences due to loss of image, since there are no alternatives for citizens anyway.
  • ...
Thus, the evaluation cannot be completely objectified and also has a subjective component.
The assessment only considers the communication part. Fictitious example: A cyber attack occurs at a company because it was grossly negligent, did not comply with the state of the art, and millions of data records with personal information were breached. If the company now nevertheless maintains great communication, then this would be positively acknowledged here.