It happened at 2:47 AM on a Tuesday. The security operations centre detected unusual encryption activity spreading across the network. Within minutes, the decision was made: shut it all down. Email servers offline. Microsoft Teams inaccessible. The company intranet - home to every crisis response procedure - encrypted. The ransomware attack everyone feared had finally arrived.
The CISO had done everything right. Multi-factor authentication? Implemented. Security awareness training? Quarterly. Endpoint detection and response tools? Best-in-class. Backup systems? Tested monthly. Yet here they were, sitting in the dark, unable to answer the most fundamental question of crisis management: How do we coordinate our response when we can't communicate?
Organisations invest heavily in prevention - in fact, according to Gartner, global spending on cybersecurity is projected to reach $240 billion in 2026.
Security teams deploy sophisticated tools, conduct penetration testing, and train employees to spot phishing attempts. Boards of directors receive quarterly briefings on security posture. Compliance frameworks are meticulously followed.
Yet breach rates continue to climb. The IBM Cost of a Data Breach Report found that the average time to identify and contain a breach sits at 241 days. Even organisations with mature security programs find themselves compromised. Why? Because the threat landscape evolves faster than defences can adapt. Zero-day vulnerabilities emerge. Supply chain attacks bypass perimeter security. Sophisticated threat actors find ways in.
The uncomfortable truth that security leaders are beginning to accept: you can do everything right and still become a victim. The question is no longer if you'll be breached, but when - and whether you'll be ready to respond effectively when it happens.
Most crisis response plans focus on what to do: isolate affected systems, activate the incident response team, engage forensics partners, notify stakeholders. These plans are detailed, thorough, and often rehearsed. What they don't address is something far more fundamental: how these actions will be coordinated when your primary communication infrastructure is compromised or taken offline as a precautionary measure.
Picture the scenario unfolding:
Email servers are either encrypted by the attackers or deliberately taken offline to prevent lateral movement. Either way, they're unavailable.
Microsoft Teams or Slack run on the same infrastructure that's been breached. Can you trust them? Should you use them and risk the attackers monitoring your response strategy?
Contact directories are stored in systems that are now inaccessible. Who has the personal cell phone numbers for the entire crisis team? Where is that spreadsheet with vendor emergency contacts?
Crisis playbooks are beautifully formatted documents stored on SharePoint or the company intranet - both of which are now offline.
Phone trees exist in theory, but in practice, who remembers phone numbers anymore? And if someone does start making calls, how do you ensure message consistency? How do you coordinate group decisions?
This is response paralysis - the moment when an organisation realizes that the very tools they rely on to manage a crisis are casualties of that crisis. The incident response plan sits useless in an inaccessible system while precious minutes tick by. Every minute of confusion, every failed attempt to reach team members, every delay in engaging legal counsel or notifying regulators extends the impact and increases the cost.
This isn't a theoretical problem. It's playing out across organisations of every size and sector, from healthcare systems to law firms to manufacturing companies. The question that keeps CISOs awake at night isn't about perimeter security anymore - it's about coordination in chaos.
Headlines focus on ransom demands - the millions paid to decrypt systems and prevent data publication. But ransom payments are often the smallest part of the total cost. The real damage comes from downtime and the cascading operational impacts that follow.
Sophos's State of Ransomware Report found that almost half of organisations (47%) were unable to recover from an attack inside a week. For many organisations, every hour of downtime costs tens or hundreds of thousands of dollars in lost revenue. But the financial impact goes beyond immediate losses:
Supply chains grind to a halt because vendors and partners can't be reached with timely updates about delivery schedules or order changes
Customer confidence evaporates as communication blackouts fuel speculation and concern on social media
Regulatory deadlines are missed because coordination with legal counsel is delayed, leading to additional penalties
Media narratives spin out of control in the absence of coordinated public relations response
Recovery time extends exponentially as technical teams, business units, and executives struggle to make coordinated decisions
Poor coordination doesn't just extend downtime - it multiplies damage across every dimension of the business. The longer it takes to establish effective communication, the more opportunities for mistakes, miscommunication, and missed deadlines. Each hour of delayed or fragmented communication adds to recovery costs and reputational damage that can take years to repair.
Effective incident recovery isn't a linear process managed by a single team - it's a complex orchestration involving multiple groups, each with different roles, priorities, and information needs:
The technical incident response team needs to coordinate containment efforts, analyse the scope of the breach, and manage recovery operations. They're working with forensics partners, potentially external IR firms, and coordinating with IT operations to bring systems back online safely.
Executive leadership needs real-time updates to make strategic decisions: Should we pay the ransom? When do we notify customers? How do we communicate with the board? What's our public statement?
Legal counsel must track regulatory notification requirements, coordinate with law enforcement, and ensure all actions are properly documented for potential litigation.
Public relations and communications teams need to craft consistent messaging for customers, media, employees, and other stakeholders—all while the situation continues to evolve.
Human resources must communicate with employees who may be unable to work, address concerns about data exposure, and maintain morale during the crisis.
Finance teams need to authorize emergency spending, coordinate with cyber insurance providers, and track costs for recovery and potential claims.
Key suppliers and partners must be kept informed about operational impacts and timeline for restoration to prevent cascading disruptions through the supply chain.
Each of these groups needs secure, reliable communication—not just within their teams, but across functions. Strategic decisions require input from technical experts. Technical recovery efforts need approval from legal and executive teams. Customer communications need to be consistent with what legal is saying to regulators. This level of coordination is impossible when your communication infrastructure is down.
In the absence of planned communication infrastructure, organisations often improvise: personal cell phones, consumer WhatsApp groups, text message chains. These ad-hoc approaches introduce new problems:
Security concerns: Consumer messaging apps weren't designed for crisis management. Are they encrypted? Who has access? Could attackers intercept communications about your response strategy?
Lack of audit trail: When regulatory investigations or litigation follow, organiations need to demonstrate their response process. Text messages on personal devices and disappearing WhatsApp conversations don't create the documentation you need.
Information chaos: Without structure, critical updates get buried in message threads. New team members can't catch up on what's happened. Decisions are made in one channel while others aren't informed.
Difficulty scaling: As the incident escalates and more people need to be involved, ad-hoc systems break down. How do you quickly and securely bring in external counsel, forensics experts, or board members?
No mass notification capability: When you need to communicate with all employees simultaneously - to inform them the network is down, provide status updates, or give them instructions - text message chains don't scale.
The improvised approach might feel resourceful in the moment, but it creates gaps, delays, and risks that compound the incident's impact.
"Out-of-band communication" is a technical term for a critically simple concept: a completely separate communication channel that doesn't touch your primary network infrastructure. When your corporate systems are compromised, out-of-band channels remain available because they exist on independent infrastructure.
Think of it like a building's emergency systems. The main electrical system powers your everyday operations, but emergency lighting and fire alarm systems have independent power supplies. When the main system fails, the emergency systems activate precisely because they were designed to be separate.
For crisis communication, true out-of-band infrastructure needs to deliver several key capabilities:
Independence from your primary network: It must be hosted separately, with its own infrastructure, so that whatever happens to your corporate systems doesn't affect your ability to communicate.
Accessibility via mobile devices: When corporate laptops are locked down or unavailable, team members need to access the system from personal devices with the appropriate security controls.
Encryption and security: You're discussing sensitive information about the breach, your response strategy, and business impacts. The system must be secure enough to prevent attackers from monitoring your recovery efforts.
Pre-populated contacts and documentation: In a crisis, you don't have time to hunt down phone numbers or remember URLs. Your crisis team contacts, vendor information, and response playbooks should already be in the system, ready to access.
Video conferencing capability: Complex decisions can't always be made via text. You need the ability to convene virtual crisis rooms where leadership can discuss strategy, technical teams can walk through recovery plans, and cross-functional groups can coordinate.
Mass notification functionality: When you need to reach all employees, customers, or other stakeholders simultaneously with consistent messaging, you need broadcast capability that works even when email is down.
Audit and compliance features: Every message, decision, and action needs to be logged. Not only for potential regulatory investigations or litigation, but also for post-incident analysis to improve future response.
Rapid onboarding: As the incident evolves, you may need to quickly bring in external experts, board members, or other stakeholders. The system needs to allow secure, fast access without compromising security.
All of this infrastructure must be in place before the crisis hits. You can't set up secure communication channels while you're in the middle of an incident—it needs to be ready and tested as part of your preparation.
Many organisations are confident in their crisis preparedness. They have comprehensive incident response plans. They conduct tabletop exercises. They test their backups quarterly. But few organisations actually test the one thing that determines whether all those other preparations can be executed: communication.
Consider these scenario-based questions:
"It's Saturday night at 11 PM. Your network has been encrypted. How do you convene your crisis team within the hour?" Can you? Do you have personal contact information for all critical team members? If you start calling people, how do you coordinate as a group rather than having ten separate conversations?
"Your contact directory is stored in systems that are now inaccessible. How do you reach your top 50 internal and external stakeholders?"Is there a printed list somewhere? Does your CISO have everyone's mobile numbers memorised? What about your forensics partner, your cyber insurance provider, outside legal counsel?
"Your incident response firm needs to join the crisis response immediately. How do you securely onboard them to your communication channels?" Do you have a process for this? Can you provision access quickly? How do you ensure they can see the full history of decisions and updates?
"You need to notify 5,000 employees that the network is down and they should not attempt to access corporate systems. How do you reach them?" Email is unavailable. Do you have an alternative mass notification system? How long would it take to reach everyone?
"Forty-eight hours into the incident, a regulator asks for documentation of all decisions made and communications sent. Can you provide a complete audit trail?" If your team has been coordinating via personal text messages and phone calls, the answer is probably no.
These aren't rhetorical questions. They represent real gaps in most organisations' crisis preparedness. The time to discover these gaps isn't during an actual incident—it's during testing and simulations.
Crisis simulations should explicitly test communication failure scenarios. Don't just assume Teams or email will be available. Run a scenario where they're not, and see what happens. The discomfort and confusion your team experiences during a simulation is valuable feedback - it reveals where your plans break down.
When an out-of-band communication platform is in place, the recovery process becomes coordinated rather than chaotic. Here's how it supports each phase:
Assessment Phase: As soon as the breach is detected, the incident commander can use secure chat to quickly assemble the crisis team, share initial findings, and begin coordinating the response. Leadership can join a video crisis room to receive briefings and make initial strategic decisions. Everyone has access to the same information at the same time.
Containment Phase: Technical teams coordinate system isolation and containment measures. Cross-functional communication ensures that business units understand which systems are being taken offline and can plan accordingly. External forensics partners can be securely onboarded to collaborate with internal teams.
Stakeholder Management: PR teams draft communications while legal reviews them. Leadership approves messages before they go out. Mass notification capabilities allow consistent, simultaneous communication to employees, customers, and partners. Everyone receives the same information, reducing confusion and speculation.
Recovery Phase: As systems are rebuilt and restored, technical teams coordinate with business units on priorities. Suppliers and vendors receive updates on operational status. The recovery process is documented in real-time, creating the audit trail needed for post-incident reporting.
Post-Incident Analysis: All communications, decisions, and actions are logged and available for review. The organisation can conduct a thorough after-action analysis, identify lessons learned, and improve processes for the future. Regulatory or legal inquiries can be addressed with complete documentation.
Throughout all of this, the communication infrastructure remains secure, reliable, and independent of the compromised corporate systems. The result: faster recovery, better coordination, reduced costs, and maintained stakeholder confidence.
The cybersecurity industry is undergoing a fundamental shift in mindset. The old paradigm - build walls high enough to keep attackers out - is giving way to a new reality: assume compromise and focus on resilience.
This doesn't mean abandoning prevention. Strong security controls, employee training, and threat detection remain essential. But they're no longer sufficient on their own. Organisations must prepare for the scenario where all those defenses fail - because eventually, against determined attackers, they will.
The question isn't whether your organisation has strong enough security to prevent breaches. The question is whether you have strong enough resilience to respond, recover, and maintain trust when a breach occurs.
This shift from "if" to "when" isn't pessimism - it's pragmatism. It's the recognition that the threat landscape has changed, that perfect security is impossible, and that preparation for the worst case is as important as prevention.
The organisations that will survive and thrive in this environment aren't necessarily the ones that never get breached. They're the ones that can respond effectively when it happens. They're the ones whose crisis teams can communicate and coordinate even when primary systems are down. They're the ones whose stakeholders receive timely, accurate information because mass notification infrastructure was already in place. They're the ones who can demonstrate to regulators, customers, and the public that they handled the incident professionally and transparently.
Your prevention strategy protects you most of the time. Your recovery plan protects you when prevention fails. Both matter, but only one determines whether a cybersecurity incident becomes a manageable crisis or an existential threat.
As you review your organisation's incident response plans, your crisis communication procedures, and your business continuity preparations, ask yourself one question:
"If our network goes down in the next 60 seconds, could we still coordinate our response?"
If the honest answer is "no" or "probably not" or "we'd figure something out," then you have a critical gap in your preparedness. That gap - the inability to communicate during a crisis - is the weakest link in your entire security and resilience strategy.
The good news is that it's a solvable problem. Out-of-band communication platforms exist. The technology is mature. The implementations are proven. The only question is whether your organisation will put it in place before you need it, or discover its absence at the worst possible moment.
Because in the end, your recovery plan is only as good as your ability to execute it. And execution depends entirely on communication.
Ask yourself if you can answer "yes" to these five questions:
Can I reach my entire crisis team within 15 minutes, even on a weekend?
Can they coordinate as a group without using corporate email or Teams?
Can I securely bring in external partners during an active incident?
Can I send consistent updates to all employees when email is unavailable?
Will I have a complete audit trail of all crisis communications?
If any answer is "no," it's time to evaluate your out-of-band communication strategy