When organisations think about cyberattacks, the focus is typically on compromised endpoints, stolen credentials, or encrypted infrastructure. Communication systems rarely feature in that initial threat model.
However, in practice, communication is often one of the first capabilities to degrade during a serious incident - and in some cases, one of the first deliberately targeted.
This is not accidental. It reflects a shift in how attackers create leverage during an attack.
Modern organisations are highly dependent on a small number of tightly integrated communication platforms. Email, messaging, and video conferencing are typically connected through a shared identity layer and accessed via the same devices and networks as other business systems.
This creates an implicit assumption: that communication will remain available during an incident.
In reality, this assumption is fragile.
If identity systems are compromised, access to communication platforms may be restricted. If networks are segmented or taken offline as part of a containment strategy, communication tools may become unavailable. Even where systems remain operational, their integrity may be in question.
At that point, communication is no longer a reliable control mechanism. It becomes a source of uncertainty.
The disruption of communication is not always a primary objective, but it is frequently an enabling condition. Several common attack patterns illustrate this.
Account compromise and message manipulation - Where attackers gain access to email or messaging platforms, they can interfere with internal coordination. This may involve suppressing alerts, impersonating key individuals, or selectively influencing conversations. The result is not simply unauthorised access, but a distortion of the organisation’s understanding of the situation.
Identity-layer disruption - Because communication platforms depend on identity providers, any compromise at that level can have cascading effects. Lockouts, forced resets, or defensive shutdowns can prevent teams from accessing the very tools they rely on to respond.
Collateral impact from containment measures - In many incidents, communication failures are self-inflicted. Actions taken to isolate systems - while necessary - can unintentionally disrupt collaboration tools. In these scenarios, organisations contain the threat but degrade their own ability to coordinate a response.
Observation of response activity - In more advanced intrusions, attackers monitor internal communications to understand how the organisation is reacting. This allows them to adapt in real time, evade detection, or maximise impact before remediation efforts take effect.
Taken together, these dynamics mean that communication is not just affected by an incident - it can become part of the attack surface itself.
When communication channels become unreliable, the impact is immediate and systemic.
Decision-making slows as leaders operate with incomplete or unverified information. Teams begin to work in parallel rather than in coordination, often duplicating effort or missing critical dependencies. Escalation paths become unclear, and response activities lose coherence.
Importantly, these effects are not driven by a lack of technical capability. They are the result of a breakdown in the mechanisms that allow an organisation to act as a coordinated unit.
This is why relatively contained technical incidents can escalate into broader operational crises. The limiting factor is not always the severity of the attack, but the organisation’s ability to respond effectively under degraded conditions.
Most security strategies prioritise prevention, detection, and technical response. Communication is typically treated as a supporting function rather than a core component of resilience.
Incident response plans often assume that teams will coordinate via standard business tools. These plans may define who should be involved and what actions should be taken, but they rarely address what happens if communication channels are unavailable or untrusted.
This creates a structural gap. The success of the response depends on a capability that has not been explicitly designed, tested, or secured for crisis conditions.
Organisations that perform well under pressure tend to treat communication differently. Rather than assuming availability, they design for failure.
This includes establishing communication channels that are independent of primary business systems, with clear criteria for when they should be used. It also involves defining roles and responsibilities in a way that reduces ambiguity during the early stages of an incident.
Equally important is the need to test these arrangements under realistic conditions. This means exercising not only technical response procedures, but also the transition to alternative communication methods when standard tools are unavailable.
The objective is not to eliminate disruption - this is rarely possible - but to ensure that coordination can continue even when core systems are impaired.
A useful way to assess preparedness is to consider a simple scenario:
If your primary communication platforms were unavailable or potentially compromised, how would your incident response team coordinate its actions? Do you have an out-of-band communication strategy to fall back on?
This is not a question of tooling alone. It is a question of whether communication has been treated as a critical dependency within your resilience strategy.
Attackers do not need to fully disable an organisation’s systems to achieve their objectives. Disrupting communication - whether directly or indirectly - can be sufficient to delay response, increase confusion, and amplify impact.
For this reason, communication should not be viewed solely as a business enabler. In the context of cyber incidents, it is a core operational capability and, increasingly, a point of vulnerability.
Organisations that recognise this are better positioned to respond effectively when it matters most.