Most organisations have a crisis management plan. Many have backup systems. But when ransomware strikes, when your cloud provider goes down, or when a sophisticated attacker compromises your primary IT infrastructure, there's one question that separates resilient organisations from those scrambling to recover:
Can you still communicate?
The harsh reality is that most "backup" communication systems aren't truly independent. They rely on the same authentication systems, the same network infrastructure, or the same cloud providers as your primary channels. When those fail—and during a crisis, they often do—your backup fails too.
This checklist will help you determine whether your organisation has genuine out-of-band communication capabilities or just the illusion of resilience.
Before we dive into the checklist, let's be clear about what out-of-band actually means. It's not simply having Microsoft Teams AND Slack. It's not having email plus SMS. True out-of-band communication means having a completely independent, ring-fenced system that:
❌ FAIL: We would use email to notify the crisis team, or we'd manually call people using contact lists stored in Outlook
⚠️ PARTIAL: We have phone numbers stored separately, but we'd need to manually call each person
✅ PASS: We can activate our crisis team through an independent platform that doesn't rely on email, with automated multi-channel alerting
Why this matters: Email is often the first system to go down during a cyberattack or becomes inaccessible during ransomware encryption. If your crisis activation depends on it, you can't even begin coordinating a response.
❌ FAIL: All our collaboration tools run on the same infrastructure or cloud provider
⚠️ PARTIAL: We have video conferencing on different providers, but they use the same authentication
✅ PASS: We have a completely independent virtual crisis room capability with separate video, chat, and collaboration tools (like white boarding)
Why this matters: The CrowdStrike incident in July 2024 showed how quickly organisations can lose access to their primary collaboration tools. Without an independent virtual crisis room, distributed teams cannot coordinate effectively.
❌ FAIL: Our contact lists are only in Active Directory, our HRIS, or email systems
⚠️ PARTIAL: We have exported contact lists, but they're stored in systems that might be affected
✅ PASS: Our out-of-band system maintains its own contact database with real-time acknowledgment tracking through 2-way communication
Why this matters: During a crisis, knowing who's available and who's responded is critical for delegation and coordination. If this information is locked in compromised systems, you're flying blind.
❌ FAIL: All our systems use the same identity provider or SSO
⚠️ PARTIAL: We have some systems with separate authentication, but they're not set up for crisis management
✅ PASS: Our out-of-band platform has completely independent authentication that doesn't rely on our primary Identitiy Provider (IdP)
Why this matters: Sophisticated attackers specifically target identity systems to lock out administrators. If your "backup" systems use the same authentication, you're locked out of those too.
❌ FAIL: We provision all access through systems that might be compromised
⚠️ PARTIAL: We could eventually give access, but it would take significant time
✅ PASS: Our out-of-band platform allows rapid, secure provisioning of external responders independent of primary systems
Why this matters: Most serious incidents require external expertise. The ability to quickly bring in and connect with forensics teams, legal counsel, or PR specialists can be the difference between containment and catastrophe.
❌ FAIL: Our backup systems are still on our corporate network
⚠️ PARTIAL: Some team members could access via personal devices, but not systematically
✅ PASS: Our out-of-band platform is accessible from any internet connection and doesn't require corporate network access
Why this matters: During ransomware or breach containment, security teams often need to isolate networks. Your crisis communication can't be on the same network you might need to shut down.
❌ FAIL: All our crisis documentation is in our primary document management systems
⚠️ PARTIAL: We have printed playbooks, but they're not regularly updated or easily accessible
✅ PASS: Our critical crisis documentation is stored within our out-of-band platform and is always accessible
Why this matters: Ransomware doesn't just encrypt files - it encrypts your response playbooks. Having procedures locked in systems you can't access is like having a fire extinguisher behind a locked door during a fire.
❌ FAIL: We would need to use personal email or consumer file-sharing services
⚠️ PARTIAL: We have secure alternatives, but they're not integrated into our crisis workflow
✅ PASS: Our out-of-band platform includes secure document sharing with appropriate access controls and audit trails
Why this matters: During a breach, you're handling extremely sensitive information—forensic evidence, legal strategy, communication plans. Using insecure channels could compound the breach or create legal exposure.
❌ FAIL: Our audit logs are only in systems that might be affected
⚠️ PARTIAL: We could reconstruct events manually, but it would be incomplete
✅ PASS: Our out-of-band platform maintains independent logs of all crisis communications and decisions
Why this matters: Post-incident investigations, regulatory inquiries, and potential litigation all require clear records of who knew what and when. Loss of audit trails can create massive compliance and legal issues.
❌ FAIL: We rely solely on email or internal chat platforms for company-wide communication
⚠️ PARTIAL: We could use SMS, but we don't have everyone's personal numbers or a systematic way to send them
✅ PASS: We have multi-channel mass notification capabilities (SMS, voice, push notifications) independent of our primary systems
Why this matters: During a crisis, employees need guidance—whether to work from home, avoid corporate systems, or take specific security actions. If you can't reach them, confusion and secondary damage multiply.
❌ FAIL: We would resort to personal email or phone calls without secure verification
⚠️ PARTIAL: We have emergency contacts, but no secure, verified communication channel
✅ PASS: We have pre-established, verified communication channels for critical stakeholders in our out-of-band platform
Why this matters: Attackers sometimes impersonate executives during crises to cause additional damage or extract information. Verified communication channels prevent this and give stakeholders confidence in your messages.
❌ FAIL: We rely on email or ticketing systems that might be down
⚠️ PARTIAL: We have a phone number, but no systematic way to triage and track incoming information
✅ PASS: Our out-of-band platform includes dedicated channels for receiving, categorizing, and responding to incoming crisis communications
Why this matters: Crises generate enormous volumes of incoming communication—reports of issues, requests for guidance, media inquiries. Without a way to triage these, critical information gets lost in the noise.
❌ FAIL: We've never tested, or our tests assumed primary systems would be partially available
⚠️ PARTIAL: We've done tabletop exercises but haven't actually disabled primary systems
✅ PASS: We regularly conduct drills where we simulate complete primary system failure and operate solely on out-of-band capabilities
Why this matters: Untested plans aren't plans - they're wishful thinking. The time to discover your backup doesn't work is not during an actual crisis.
❌ FAIL: Our backup information is outdated or stored in systems that sync with primary systems
⚠️ PARTIAL: We update them occasionally, but not systematically
✅ PASS: We have automated processes to keep out-of-band contact information current and verify access quarterly
Why this matters: Out-of-band systems are only as good as the data within them. Outdated contact lists or expired credentials make them useless when you need them most.
❌ FAIL: Managing our backup systems requires access to tools that might be compromised
⚠️ PARTIAL: We could manage them, but without our normal tools and monitoring
✅ PASS: Our out-of-band platform has independent management and monitoring capabilities accessible outside our primary environment
Why this matters: You need to be able to scale capacity, adjust permissions, and monitor security of your crisis communication platform during the crisis itself—not just before or after.
Count your responses in each category:
13-15 Passes: Crisis-Ready
Your organisation has genuine out-of-band communication capabilities. You're well-positioned to maintain coordination during major incidents. Focus on regular testing and keeping information current.
8-12 Passes: Partially Protected
You have some independent capabilities, but significant gaps remain. Prioritise addressing your "FAIL" responses, particularly in authentication and crisis activation.
4-7 Passes: Vulnerable
Your organisation has critical dependencies on primary systems. During a major incident, you'll struggle to coordinate effectively. This represents a significant operational risk that needs immediate attention.
0-3 Passes: Critical Risk
Your backup communication strategy is largely theoretical. In a real crisis where primary systems fail, your response will be severely hampered. This should be treated as an urgent priority.
If your assessment revealed gaps - and for most organisations it will - here's how to address them:
Most "backup" systems aren't truly independent. Recognize that having multiple systems on the same infrastructure or authentication doesn't provide real resilience.
When assessing out-of-band solutions, verify:
You can access our Out-of-Band Communications Platform Buyer's Guide for a more detailed approach to assessing out-of-band communication solutions.
Conduct exercises where you actually disable primary systems. If you're not willing to turn things off during a test, you're not testing what happens when they're forced off during an incident.
Out-of-band communications platforms require dedicated maintenance. Assign clear ownership, set update schedules, and verify access regularly.
Here's the ultimate test of your out-of-band readiness:
If you arrived at work tomorrow and every system that touches your corporate network or primary cloud provider was encrypted, inaccessible, or shut down for security isolation, could you still coordinate an effective response?
If the honest answer is no, or even "probably not," you don't have out-of-band communication - you have a dependency that will fail you when you need it most.
Organisations often discover their communication vulnerabilities at the worst possible time - during an actual crisis. The ransomware is spreading, the clock is ticking, and suddenly you realise you can't coordinate the people who need to stop it.
By that point, your options are limited. You're making emergency calls from personal phones, using unsecured consumer apps, sharing sensitive information through inappropriate channels, and hoping you're reaching the right people with the right information.
This checklist exists to help you discover these gaps now, while you still have time to address them.
True operational resilience isn't about having backups of everything - it's about having systems that work independently when everything else fails.