Skip to the main content.
TRIAL
REQUEST DEMO
TRIAL
REQUEST DEMO

6 min read

How to Notify Employees During a Cyberattack (When Email & Systems Are Down)

Urgent cyberattack alert notifying employees on a desktop and phone that email and internal systems are down

When a cyberattack hits, the channels you’d normally use to warn employees — email, Teams, the intranet — are often the first casualties. They may be down, compromised, or unsafe to use because an attacker could be reading them. Reaching your people in that moment is not a prevention problem or an incident-response-process problem. It’s a reachability problem: how do you get an urgent instruction in front of every affected employee, on a channel that still works, and confirm they saw it?

This guide is about that narrow, practical question. Not how to prevent an attack, and not how to run your incident-response plan end to end — those are separate jobs with their own playbooks. This is about the communication slice: how you actually reach and confirm employees during an active cyber incident.

Table of Contents

1. Why your normal channels fail during a cyberattack

2. The answer: an out-of-band, push channel

3. What to send: the message itself

4. Reach the right people, not everyone

5. Confirm who saw it — the part most tools skip

6. Where DeskAlerts fits

7. This is one piece of a bigger plan

8. Frequently asked questions

9. The bottom line


Why your normal channels fail during a cyberattack

IT administrator facing offline email and chat during a cyberattack while a DeskAlerts incident-response desktop alert warns staff

Email, chat, and the intranet are pull channels. They assume a healthy network and an attentive user who happens to be looking at their inbox. During a ransomware attack or breach, both assumptions break at once:

  • The channel itself may be down. Ransomware that encrypts servers or forces an isolation shutdown can take email, file shares, and internal apps offline exactly when you need them.
  • The channel may be compromised. If an attacker has a foothold in your mail or collaboration environment, anything you write there can be read — including your response coordination. Warning staff through a monitored channel tips your hand.
  • The message may simply be missed. Even when email is technically working, people don’t refresh their inbox during a crisis. A warning email that sits unread for ten minutes is, in practice, the same as no warning at all.

That last point is the crux. During an incident, a message read too late does no good — you need something that lands in front of people the moment you send it. A Windows system administrator at a healthcare (oncology) organization described exactly this after a ransomware incident:

“We got hit by a massive ransomware attack. We sent out an emergency email but nobody reads an email until after the fact. We want something immediately in their face.”

This is not hypothetical. One large healthcare provider adopted DeskAlerts to push instant IT and cybersecurity warnings to staff — including during the WannaCry ransomware outbreak — as described in its healthcare cybersecurity alerting case study.

The answer: an out-of-band, push channel

Incident responders have a term for the fix: out-of-band communication — reaching people through a channel that is separate from, and independent of, the systems that may be compromised. It’s the approach security guidance consistently foregrounds: switch to out-of-band channels and don’t rely on corporate email you can’t trust mid-incident.

An out-of-band employee alerting channel has three properties email and chat lack during an incident:

  1. It pushes. The alert appears in front of the employee — a desktop pop-up, a lock-screen message, a mobile push — instead of waiting in an inbox for someone to check it.
  2. It’s independent. It doesn’t ride on the email or cloud collaboration tools that may be down or watched. Delivery keeps working through an email, cloud, or Teams outage.
  3. It confirms receipt. You get acknowledgment tracking — a live view of who has actually seen the alert — so you know who’s covered and who you still have to reach another way.

This is the capability most tools in the critical-communication space tend to under-serve. A lot of the available advice is about committees, reputation, PR, and frameworks. Useful, but it skips the operational question a stressed IT lead is actually asking at 2 a.m.: how do I get a warning in front of everyone when email is down?

What to send: the message itself

When you do reach people, the content should be short and behavioral. You’re trying to change what employees do in the next 60 seconds, not explain the incident. A workable structure:

  • What’s happening, in one plain sentence. (“We are responding to a security incident affecting company systems.”)
  • What to stop doing, right now. The single most valuable line. For example: disconnect from the network, do not log in, do not open email attachments, do not enter credentials.
  • Where updates will come from — and crucially, which channel, since the usual ones may be down.
  • Who to contact if they see something suspicious or need help.

Keep technical detail, attribution, and speculation out of it. For ready-to-adapt wording under pressure, pre-built templates matter — you don’t want to be drafting from a blank page mid-incident. (Our IT outage message templates are a useful starting point for the mechanics of a clear, calm status message.)

Reach the right people, not everyone

Targeted DeskAlerts emergency notification reaching only the affected department during a cyber incident

A cyber incident rarely affects the entire organization equally. Blasting all 8,000 employees when only the finance department’s segment is impacted creates panic and noise. Targeting — by department, location, role, or individual — lets you warn the affected group precisely while keeping everyone else calm and working. Then, as the picture changes, you widen or narrow the audience accordingly.

“The capacity to publish rapidly to all users or specific ones important messages about use of critical product.”

Bruno L., CIO, Hospital & Health Care, via Capterra

Confirm who saw it — the part most tools skip

Sending is only half the job. The question that actually matters during an incident is who hasn’t seen this yet. Acknowledgment tracking turns a hopeful broadcast into an accountable one: a live list of who has confirmed and who hasn’t, so you can escalate to the unreached instead of assuming an inbox was opened. A “90% delivered” number means nothing until you find the 10% still exposed.

Where DeskAlerts fits

Acknowledgment tracking view showing which employees confirmed a cyberattack alert

DeskAlerts is employee notification software built for exactly this reachability problem. During a cyber incident, it gives IT and security teams:

  • Out-of-band push delivery — desktop pop-ups, lock-screen alerts, and mobile push that appear in front of employees rather than waiting in an inbox that no one is checking.
  • Delivery that’s independent of email and cloud outages. With on-premise deployment, alerting keeps working through email, cloud, and Teams outages, so you can avoid channels you can’t trust mid-incident. (It won’t magically survive a full network compromise — but it removes your dependence on the email and collaboration tools most likely to be down or watched.)
  • Acknowledgment and read-receipt tracking so you know who actually saw the alert.
  • Targeting to reach only the affected users, departments, or locations.
  • Pre-built templates ready to fire the moment an incident starts.

If you’re planning for this scenario, the relevant product pages go deeper: IT alerting, emergency notifications, and automated incident notifications.

“Easy to use to send alerts internally to users’ desktops.”

Jason C., Deputy CIO, Hospital & Health Care, via Capterra

This is one piece of a bigger plan

Reaching employees is the communication slice of incident response — not the whole thing. Two adjacent pieces are worth reading alongside this:

  • Prevention. The best incident is the one that doesn’t happen. Employee awareness and training reduce your exposure in the first place — see our cyber security awareness email to employees.
  • The incident-response process. How you coordinate the overall response — roles, escalation, and decision-making — is its own discipline. Our incident response communication plan covers the process; this post covers the employee-notification step inside it.

Frequently asked questions

What is the first thing to do when communicating during a cyberattack?

Switch to an out-of-band communication channel — one that does not depend on the systems that may be compromised. Never use corporate email, Teams, or the intranet to coordinate an active incident until you know they are clean, because attackers may be reading them or they may be down. Use a separate, independent push channel to reach employees and confirm who received the message.

How do you reach employees when email and Teams are down?

Use a push channel that does not rely on email or cloud collaboration tools — such as a desktop pop-up, lock-screen alert, or mobile push delivered from an independent alerting system. Push channels fire regardless of whether staff are checking their inbox, and acknowledgment tracking tells you who actually saw the alert versus who still needs to be reached another way.

What should you tell employees during a cyberattack?

Keep it short, specific, and action-oriented: what is happening in plain terms, what to stop doing right now (for example, disconnect from the network, do not log in, do not open attachments), how to get further updates, and who to contact. Avoid technical detail and blame. The goal is to change behavior fast, not to explain the incident.

How do people in cybersecurity communicate during an incident?

Incident responders deliberately move to out-of-band channels separate from the compromised environment. That means alerting employees through an independent push tool rather than the corporate email or chat that may be monitored or offline, and using a pre-agreed method to coordinate the response team itself.

What are the 5 C’s of crisis communication?

A common framing is that crisis communication should be clear, concise, consistent, credible, and coordinated. During a cyber incident, “clear” and “concise” matter most in the message itself, while “coordinated” depends on having a reliable channel to reach everyone at once and confirm they received it.

How do you confirm employees actually saw a cyber incident alert?

Use a notification tool with acknowledgment or read-receipt tracking. Instead of assuming a message was seen, you get a live list of who has confirmed and who has not — so you can escalate to the people you still haven’t reached rather than hoping an email was opened.

The bottom line

During a cyberattack, don’t assume your normal channels will carry the warning — assume they won’t. The organizations that reach their people fastest are the ones that set up an out-of-band, push-based alerting channel before the incident: one that fires independently of email and cloud outages, targets the right people, and confirms who actually saw the message. When email and Teams are down, a reliable out-of-band channel is what lets you say “everyone was warned in time” and mean it.

DeskAlerts delivers out-of-band desktop, lock-screen, and mobile alerts with acknowledgment tracking — independent of your email and cloud tools, SOC 2 Type II certified, GDPR compliant, and aligned with the NIST Cybersecurity Framework 2.0. Request a demo to see how it works during an incident.

See how fast you can reach everyone in an incident

DeskAlerts pushes out-of-band desktop, lock-screen, and mobile alerts with acknowledgment tracking — independent of the email and cloud tools an attack takes down.

Request demo

How to Notify Employees During a Cyberattack (When Email & Systems Are Down)

9 min read

How to Notify Employees During a Cyberattack (When Email & Systems Are Down)

When a cyberattack hits, the channels you’d normally use to warn employees — email, Teams, the intranet — are often the first casualties. They may be...

Read More
IT Outages, Maintenance, Security Gaps: How 3 Organizations Solved Their Communication Breakdowns

6 min read

IT Outages, Maintenance, Security Gaps: How 3 Organizations Solved Their Communication Breakdowns

Communication failures rarely happen because someone “forgot to send an email”, but rather because channels like email, Teams, Slack, and SMS were...

Read More
How IT Teams Keep Everyone Informed During Outages: Comms Solutions That Work

16 min read

How IT Teams Keep Everyone Informed During Outages: Comms Solutions That Work

Teams is down. Tickets to the help desk flood in faster than anyone in the IT team can triage. Email is useless because half the staff can't sign...

Read More
6 Samples of Cybersecurity Awareness Email to Employees

9 min read

6 Samples of Cybersecurity Awareness Email to Employees

Last year was a record-breaking one in terms of the amount of data that was lost around the world in breaches and cyberattacks. It also set a new...

Read More
3 Information Security Newsletter Templates

4 min read

3 Information Security Newsletter Templates

Sending employees a cybersecurity awareness email or newsletter is one of the best ways to keep security front of mind in your organization. Using...

Read More
Raise Cybersecurity Awareness: How to Use DeskAlerts for Maximum Effect

9 min read

Raise Cybersecurity Awareness: How to Use DeskAlerts for Maximum Effect

Cybercrime is a growing problem that is critical for businesses to be aware of and to implement measures against. As digital technologies continue to...

Read More