The business SHALL implement, document, and frequently utilize secure communication channels to disseminate and receive information regarding information security matters.
A quality information security program is not solely about the physical and technical controls implemented. For the program to be truly effective, businesses need to ensure good communication with all stakeholders, both internal and external. This is especially important in situations where new technologies are implemented, and the entire workplace needs to be informed. It is also critical in cyber incident scenarios where multiple roles need to come together quickly to contain and eliminate a threat.
For businesses to avoid falling into chaos due to a lack of communication, they must ensure that functional, secure communication channels are identified, implemented, and tested. Every business should have multiple channels using various platforms. There should be a mix of online platforms like encrypted Instant Messaging Services, email, and company portals, as well as more traditional channels like telephony and fax.
If the business uses a cloud platform like Google Workspace or Microsoft 365, it can build a chat specifically dedicated to information security issues. Both platforms offer chat applications specifically for this purpose: Google Chat and Microsoft Teams, respectively. The information security chat should include all stakeholders who have a need-to-know requirement for information security matters. If the business comprises a larger workforce, it should implement multiple chats, with each one designated for a specific level of knowledge. One chat could be for cybersecurity management matters, another for crisis and incident response emergencies, and another for general security awareness sharing with lower-level employees.
Video conferencing tools are a staple of modern work environments and are great for communication if the business involves multiple parties that are often geographically separated. Zoom, Teams, and Google Meets are video conferencing tools commonplace in professional environments today. Many businesses already use video conferencing tools to hold meetings with various internal and external personnel. In many ways, this is a more comfortable way to share information with security stakeholders than in-person meetings. If businesses identify a need to contact other employees regarding cybersecurity and/or tech support matters, they can schedule recurring meetings with all employees to freely discuss and review concerns and areas of interest.
For more immediate matters that need to be communicated organization-wide, businesses should ensure that an email group including appropriate employees and stakeholders is configured. Whenever a cybersecurity incident or news development of interest arises, a formal email should be sent to the group containing an overview. This channel is also appropriate for disseminating cybersecurity newsletters/bulletins and articles, as well as information on how emerging threats are applicable to the organization.