Crisis management

Crisis management: how to effectively manage a cyber crisis?

How to apply the traditional crisis management procedure to a cyber attack? What specificities should you consider? What are the tools at your disposal?

Published on 9 August 2021 (Updated on 17 June 2022)

A cyber crisis consists of an attack on your IT which might result in a serious destabilisation of your organisation. Normal business processes are not enough to mitigate such consequences. This is why a cyber crisis constitutes a major challenge, especially in 2021, when cybersecurity equates to a massive issue for companies. Despite its gravity, a cyber crisis can be contained. To cope with a cyber crisis situation, decision-making as well as implementation must be executed in a timely manner. This is the role of crisis management, procedures must be strictly followed to ensure that cyber attacks have a reduced impact on your organisation.

What is a cybersecurity crisis?

To understand what crisis management in cybersecurity means, it is first necessary to recall how the concepts of crisis, crisis management and cyberattack are defined.

How to define a cyber crisis, and subsequently, cyber crisis management?

The word “crisis” originates from the Latinised form of the Greek word “krisis”, which designates the moment when an illness reaches a critical point, which either leads to recovery or to death. By extension, the word “crisis” is nowadays used to designate a difficult period experienced by an individual, a group, or in the case of a cyberattack: a company.

The French equivalent of the UK's Home Office has a division –IHEMI– which proposes the following definition: "a cyber crisis is a crisis related to a cyber attack which specifically targets the digital heritage, the technical infrastructures or the information systems of a company."

When it comes to tackling those cyber crises, crisis management must embrace several approaches:

  • prevention of crises before they occur;
  • application of a crisis resolution procedure after the cyberattack has been confirmed and identified.;
  • mobilisation of techniques and means to counter it;
  • improvement of the crisis management procedure in regard to experience feedback.

Cyber ​​crises are also quite specific. They encompass a series of risk factors:

  • A cyber crisis is almost always related to an IT matter, which is by essence rather technical;
  • It is often spotted quite late, when the hacker has already been operating for several months;
  • Its repercussions are generally massive and there is a psychological impact, internally and externally to your organisation, on your employees morale as well as on how your company is considered by outsiders;
  • It calls for transversal management by actors who are not always used to collaborating with one another;
  • It prevents the use of traditional communication tools, because those may have been hacked too;
  • Exits from a cyber crisis are rarely carried out quickly.

Different types of cybersecurity crises

Before embarking on the conceptualisation of crisis management, you must consider the variety of possible crisis scenarios for your business. There are many risks of computer hacking looming over companies. Those are listed by the government on its web page dedicated to cyber security breaches:

  • Cybercrime consists in illegally obtaining personal data in order to exploit or resell them. Resorting to phishing methods is a cybercrime, just like using ransomware.
  • Image damage generally means replacing the official content that your company posts online with political or religious claims or with comments that may harm your reputation.
  • Spy attacks either involve a political or an economic agenda. In this case, the hacker obtains access to your computer system. He or she uses it to exploit your data in a long term perspective.
  • Sabotage comes down to an organised failure, such as seen during Distributed Denial of Service attacks, widely referred to as DDoS attacks. It disrupts your business, which can have a considerable impact on your users.

Who should be involved in cyber crisis management?

Cyber ​​attacks target both private companies and public administrations. If you want cyber crisis management to be effective within your organisation, you should have all of your employees included in the process.

A recent study, “Cyber ​​Insecurity: Managing Threats from Within” carried out by The Economist Intelligence Unit looked into how more than 300 executives, CIOs (Chief Information Officer) and CISOs (Chief Information Security Officer) manage cyber crises.

85% of respondents to this survey believe that human vulnerabilities constitute the number one threat to their company's cybersecurity. Technological breaches would then have less impact than staff or partners negligence. To go into details:

  • 48% of cyberattacks are perpetuated through company's clients;
  • 43% through employees;
  • 38% through temporary employees.

That is why an effective cyber crisis management needs to implement measures to train every employee of the company.

What does the crisis management process need to include?

Crisis management includes as many steps upstream as steps downstream of the trigger event:

1 / Plan for the various crisis scenarios and develop the means to mitigate or prevent negative consequences.

2 / Internally spread a culture of cyber risk, and have a team design monitoring mechanisms to detect the warning signs of an incoming cyber attack;

3 / Train the teams to crisis management, taking into account what your risk mapping strategy has pointed out as the main risks, or even better, train them in compliance with an efficient quantification of cyber risks. These simulation exercises make it possible to assimilate procedures and methods, but also to identify potential failures before the onset of a potential crisis.

4 / Recognise the onset of the crisis: a sudden and unexpected event that corrupts the normal operation of the company. The event is serious, and threatens the stability of the organisation.

5 / Define the trigger event of the cyber crisis, if possible before it has serious consequences. This step boils down to specifying and confirming the type of cyberattack you are dealing with.

6 / Once the crisis has been confirmed, proceed to the “remediation” stage. In an emergency situation, it means taking immediate action to mitigate and contain the risk in a short term perspective. This may involve putting devices on standby, and making hard drive duplicates. You can also file a complaint as soon as possible with the competent authorities and report the possible theft of personal data.

7 / Mobilise your crisis response team. They will coordinate the actions of the different teams according to a pre-established crisis management plan. This body within the organisation will play the role of crisis manager and avoid chaos when the time of decision-making comes.

8 / Activate the various crisis management teams:

  • customer relation, who answers questions from consumers or users;
  • internal communications, who communicates with employees;
  • external communications, responsible for the overall coordination of crisis communication in the event of a cyber attack ;
  • the audit team, who identifies the cyberattack and assesses the state of the computer network and therefore measures the extent of the damage;
  • developers, who ensure business continuity by booting a backup system.

9 / Establish operational cyber crisis management procedures for each and every of the various teams. In the context of a cyber crisis, if you want to put an end to a cyber attack, your IT infrastructure first needs to go through a containment phase, before being restored.

10 / When the crisis is over, remove the extraordinary measures and start collecting feedback.

11 / Prepare for future crises by tightening up prevention measures. The IT department should reassess the IT’s resilience to potential other cyberattacks, in the interest of continuous improvement.

Identify cyberattacks to activate crisis management

Crisis management: How to prepare for a crisis situation?

Crisis preparedness has three components: risk assessment, identification of crisis scenarios and simulation exercises.

Assessing the cyber risks that threaten the company

An effective crisis management procedure necessarily includes a crisis preparation phase. It is about anticipating the risks, to prevent them better. Hackers are indeed capable of identifying weaknesses, whether they are relative to your cybersecurity, to your staff or to your structure. Being aware of those vulnerabilities allows you to manage crises more efficiently.

This assessment of your structural weaknesses generally implies conducting IT and organisational audits. You could also implement risk mapping, to prioritise your cybersecurity efforts and draw up potential cyber attack scenarios.

Anticipating computer attack scenarios

By imagining the course of a cyberattack on your computer systems, you also get a good preview of the potential errors that could boost its repercussions. Establishing scenarios therefore avoids the risk of problems piling up.

Try to picture the spontaneous reactions of your teams, include them in the process. Find the solutions that can help them remain calm and make decisions without improvising. Think about what emergency measures should be favoured: a system quarantine? A duplication of hard drives? Contacting a manager first?

These scenarios must be clearly written down and communicated to all employees. They have to remain easy to access in case of an emergency.

Training for crisis management

A proper cyber crisis management cannot be done without cyberattack simulation exercises. It can be an attack simulation drill; it can be an exercise where you mobilise, by surprise, the crisis response team; or it can also simply be a scenario for which you picture the chain reactions in the event of a cyber crisis.

Allow this simulation exercise between an hour and a day, depending on the number of subsidiaries involved in the process. You may also choose to condense the exercise, without respecting the actual crisis management time.

Ideally, the simulation should of course be based on a realistic stress scenario, which concerns a likely and serious risk to the company. Keep in mind, however, that this is just a simulation. The normal operation of your organisation should not actually be disturbed.

Anticipating crisis scenarios

The tools for a proper crisis management

At every stage of crisis management, your organisation can rely on useful tools to improve or speed up the crisis resolution process.

Each tool has its role in crisis management

As seen previously, crisis management follows a specific process through different stages. To each of these stages corresponds a specific tool, which can improve the process:

  • Cyber monitoring enables your teams to stay informed of the occurrence of events likely to affect the website or the IT in real time;
  • The vulnerability audit is part of the process of cyber crisis prevention and is also part of the risk assessment;
  • Incident reporting can be conducted via a form which enables to clearly communicate the right information when a risk has been detected. It avoids disrupted communication due to stressing circumstances.
  • The crisis logbook, or crisis handbook facilitates factual communication of information without distorting reality through the grapevine. It also constitutes a written testimony of the progress of operations to analyse retrospectively how the crisis management was carried out;
  • Call filtering helps optimise communication with the outside world, especially with the press;
  • EMNS, which stands for Emergency Mass Notification System, is designed to alert the actors who must take urgent protective measures regarding cyberattacks: employees, suppliers or customers;
  • The crisis management policy chronologically details the procedures each team has to follow. It also includes a “crisis kit” which compiles various files useful for crisis management.
Cyber monitoring for cybercrisis mitigation

The crisis kit

The corpus of documents of the crisis kit varies greatly between companies. It does, however, include some key strategic documents for a successful cyber crisis resolution:

  • The “trigger matrix” includes a series of criteria to assess whether the current incident is indeed a cyber attack;
  • The list of internal means to fight against cybercrime: firewalls and antivirus software, backup system, alert system, etc.
  • The contact information of public actors that you might need to liaise with: police station, Crown Prosecution Service;
  • The reflex action sheets detail the crisis resolution procedures that your employees have to follow step by step;
  • The phone tree indicates in which order the members of the crisis response team should be contacted.
Internal communication, a priority in crisis management

Frequently Asked Questions about crisis management

The management of a cyber crisis is based on the traditional process of any crisis management. In general terms, it is necessary to anticipate the risks in order to be able to identify an incident due to a cybercrime. It is then necessary to mobilise the crisis unit and carry out the remediation procedures. Crisis management ends with the feedback analysis and the creation of a new cyber crisis management policy.

Cyber crises are often difficult to identify. With the exception of a denial of service attack, the consequences of which are immediately tangible, the IT department generally does not spot a cyber attack until after it has occurred, when it already seriously compromises data security, for example.

A cyber crisis can cripple your computer systems, or result in the theft of sensitive data. It can expose you to blackmail, or it might damage your reputation, and consequently your financial worth.