The increase in cyber incidents and data breaches over the last few years has been instructive for prudent businesses seeking to learn from the headlines to enhance their own systems. The same can be said for the bad actors carrying out such attacks.

For every informative takeaway gleaned from high-profile events like the Colonial Pipeline ransomware attack in May 2021 comes a lesson of equal importance for cybercriminals. Sure, the Department of Justice seized approximately $2.3 million of the $4.4 million ransom payment Colonial Pipeline made to its hackers, but the company still made the initial payment. The way the attackers leveraged Colonial Pipeline’s importance to East Coast fuel supplies to coerce the company’s leadership into believing that paying up was its “duty … to the American public” serves as a template for other hackers to follow when considering their manipulation tactics.

To this point, a session at Compliance Week’s virtual Cyber Risk & Data Privacy Summit last week sought to provide attendees best practices for combating ransomware attacks. The discussion was modeled around CW’s ransomware attack case study published last winter.

Panelists Timothy Rohrbaugh, former chief information security officer at JetBlue Airways, and Pilar Caballero, vice president, chief compliance officer and chief privacy officer at transport giant Ryder Systems, offered their perspectives regarding how today’s hackers succeed when carrying out attacks on businesses. When asked to share best practices around internal communication post-breach, the two experts noted the ways in which bad actors seek to disrupt the process for their benefit.

The key vulnerability? Employees.

“I would put employee notification near the top” said Rohrbaugh of the priorities in the moment. “Not just one time—transparent communication. They will be used to leverage you, especially if you start to delay.”

“There’s different threat actor groups, and they all have different profiles,” added Caballero. “You tend to know how different threat actors may react and leverage different things depending on that group.”

These insights resonated with me as someone who closely follows how companies respond to cyber incidents. The businesses that downplay their issues always seem to be the ones most susceptible to follow-up attacks, while those that delay disclosure often find themselves subject to negative backlash.

Such is currently playing out at video game company Activision Blizzard, which acknowledged this week it suffered a breach in December in which employee data appeared to be exposed. Those employees said they found out about the incident on social media over the weekend—same as the rest of the world.

Then you have the GoDaddy breach disclosures included in a regulatory filing on Feb. 16. The web hosting company detailed multiple incidents it has dealt with dating back to March 2020, all linked to the same threat actors. Needless to say, the long-overdue revelation has not been received kindly by cybersecurity experts.

“Most of the time, ransomware is sourced by an intrusion, and that intrusion was a crime of opportunity,” noted Rohrbaugh. “What that means is you didn’t do the basics and you allowed somebody in.”

From that point on, you control the narrative. Get ahead of what happened before the media—or worse, the hacker—beats you to it and shapes the story. Otherwise, you might find yourself dealing with ramifications beyond an attack’s impact on your systems.