9 min read
How to Notify Employees During a Cyberattack (When Email & Systems Are Down)
When a cyberattack hits, the channels you’d normally use to warn employees — email, Teams, the intranet — are often the first casualties. They may be...
6 min read
Steve Wilson
:
Jul 06, 2026
(Updated : Jul 06, 2026)

When a cyberattack hits, the channels you’d normally use to warn employees — email, Teams, the intranet — are often the first casualties. They may be down, compromised, or unsafe to use because an attacker could be reading them. Reaching your people in that moment is not a prevention problem or an incident-response-process problem. It’s a reachability problem: how do you get an urgent instruction in front of every affected employee, on a channel that still works, and confirm they saw it?
This guide is about that narrow, practical question. Not how to prevent an attack, and not how to run your incident-response plan end to end — those are separate jobs with their own playbooks. This is about the communication slice: how you actually reach and confirm employees during an active cyber incident.
Table of Contents
1. Why your normal channels fail during a cyberattack
2. The answer: an out-of-band, push channel
3. What to send: the message itself
4. Reach the right people, not everyone
5. Confirm who saw it — the part most tools skip
7. This is one piece of a bigger plan

Email, chat, and the intranet are pull channels. They assume a healthy network and an attentive user who happens to be looking at their inbox. During a ransomware attack or breach, both assumptions break at once:
That last point is the crux. During an incident, a message read too late does no good — you need something that lands in front of people the moment you send it. A Windows system administrator at a healthcare (oncology) organization described exactly this after a ransomware incident:
“We got hit by a massive ransomware attack. We sent out an emergency email but nobody reads an email until after the fact. We want something immediately in their face.”
This is not hypothetical. One large healthcare provider adopted DeskAlerts to push instant IT and cybersecurity warnings to staff — including during the WannaCry ransomware outbreak — as described in its healthcare cybersecurity alerting case study.
Incident responders have a term for the fix: out-of-band communication — reaching people through a channel that is separate from, and independent of, the systems that may be compromised. It’s the approach security guidance consistently foregrounds: switch to out-of-band channels and don’t rely on corporate email you can’t trust mid-incident.
An out-of-band employee alerting channel has three properties email and chat lack during an incident:
This is the capability most tools in the critical-communication space tend to under-serve. A lot of the available advice is about committees, reputation, PR, and frameworks. Useful, but it skips the operational question a stressed IT lead is actually asking at 2 a.m.: how do I get a warning in front of everyone when email is down?
When you do reach people, the content should be short and behavioral. You’re trying to change what employees do in the next 60 seconds, not explain the incident. A workable structure:
Keep technical detail, attribution, and speculation out of it. For ready-to-adapt wording under pressure, pre-built templates matter — you don’t want to be drafting from a blank page mid-incident. (Our IT outage message templates are a useful starting point for the mechanics of a clear, calm status message.)

A cyber incident rarely affects the entire organization equally. Blasting all 8,000 employees when only the finance department’s segment is impacted creates panic and noise. Targeting — by department, location, role, or individual — lets you warn the affected group precisely while keeping everyone else calm and working. Then, as the picture changes, you widen or narrow the audience accordingly.
“The capacity to publish rapidly to all users or specific ones important messages about use of critical product.”
— Bruno L., CIO, Hospital & Health Care, via Capterra
Sending is only half the job. The question that actually matters during an incident is who hasn’t seen this yet. Acknowledgment tracking turns a hopeful broadcast into an accountable one: a live list of who has confirmed and who hasn’t, so you can escalate to the unreached instead of assuming an inbox was opened. A “90% delivered” number means nothing until you find the 10% still exposed.

DeskAlerts is employee notification software built for exactly this reachability problem. During a cyber incident, it gives IT and security teams:
If you’re planning for this scenario, the relevant product pages go deeper: IT alerting, emergency notifications, and automated incident notifications.
“Easy to use to send alerts internally to users’ desktops.”
— Jason C., Deputy CIO, Hospital & Health Care, via Capterra
Reaching employees is the communication slice of incident response — not the whole thing. Two adjacent pieces are worth reading alongside this:
Switch to an out-of-band communication channel — one that does not depend on the systems that may be compromised. Never use corporate email, Teams, or the intranet to coordinate an active incident until you know they are clean, because attackers may be reading them or they may be down. Use a separate, independent push channel to reach employees and confirm who received the message.
Use a push channel that does not rely on email or cloud collaboration tools — such as a desktop pop-up, lock-screen alert, or mobile push delivered from an independent alerting system. Push channels fire regardless of whether staff are checking their inbox, and acknowledgment tracking tells you who actually saw the alert versus who still needs to be reached another way.
Keep it short, specific, and action-oriented: what is happening in plain terms, what to stop doing right now (for example, disconnect from the network, do not log in, do not open attachments), how to get further updates, and who to contact. Avoid technical detail and blame. The goal is to change behavior fast, not to explain the incident.
Incident responders deliberately move to out-of-band channels separate from the compromised environment. That means alerting employees through an independent push tool rather than the corporate email or chat that may be monitored or offline, and using a pre-agreed method to coordinate the response team itself.
A common framing is that crisis communication should be clear, concise, consistent, credible, and coordinated. During a cyber incident, “clear” and “concise” matter most in the message itself, while “coordinated” depends on having a reliable channel to reach everyone at once and confirm they received it.
Use a notification tool with acknowledgment or read-receipt tracking. Instead of assuming a message was seen, you get a live list of who has confirmed and who has not — so you can escalate to the people you still haven’t reached rather than hoping an email was opened.
During a cyberattack, don’t assume your normal channels will carry the warning — assume they won’t. The organizations that reach their people fastest are the ones that set up an out-of-band, push-based alerting channel before the incident: one that fires independently of email and cloud outages, targets the right people, and confirms who actually saw the message. When email and Teams are down, a reliable out-of-band channel is what lets you say “everyone was warned in time” and mean it.
DeskAlerts delivers out-of-band desktop, lock-screen, and mobile alerts with acknowledgment tracking — independent of your email and cloud tools, SOC 2 Type II certified, GDPR compliant, and aligned with the NIST Cybersecurity Framework 2.0. Request a demo to see how it works during an incident.
DeskAlerts pushes out-of-band desktop, lock-screen, and mobile alerts with acknowledgment tracking — independent of the email and cloud tools an attack takes down.
Send urgent notifications to any corporate devices: PCs, phones, tablets, etc.
The high visibility combined with our 100% delivery rate guarantee. Bypass information overload. Deliver key information even if the computer is on screensaver mode, locked or sleeping.

9 min read
When a cyberattack hits, the channels you’d normally use to warn employees — email, Teams, the intranet — are often the first casualties. They may be...
6 min read
Communication failures rarely happen because someone “forgot to send an email”, but rather because channels like email, Teams, Slack, and SMS were...
16 min read
Teams is down. Tickets to the help desk flood in faster than anyone in the IT team can triage. Email is useless because half the staff can't sign...
9 min read
Last year was a record-breaking one in terms of the amount of data that was lost around the world in breaches and cyberattacks. It also set a new...
4 min read
Sending employees a cybersecurity awareness email or newsletter is one of the best ways to keep security front of mind in your organization. Using...
9 min read
Cybercrime is a growing problem that is critical for businesses to be aware of and to implement measures against. As digital technologies continue to...