How to apply the traditional crisis management procedure to a cyber attack? What specificities should you consider? What are the tools at your disposal?
A cyber crisis consists of an attack on your IT which might result in a serious destabilisation of your organisation. Normal business processes are not enough to mitigate such consequences. This is why a cyber crisis constitutes a major challenge, especially in 2021, when cybersecurity equates to a massive issue for companies. Despite its gravity, a cyber crisis can be contained. To cope with a cyber crisis situation, decision-making as well as implementation must be executed in a timely manner. This is the role of crisis management, procedures must be strictly followed to ensure that cyber attacks have a reduced impact on your organisation.
To understand what crisis management in cybersecurity means, it is first necessary to recall how the concepts of crisis, crisis management and cyberattack are defined.
The word “crisis” originates from the Latinised form of the Greek word “krisis”, which designates the moment when an illness reaches a critical point, which either leads to recovery or to death. By extension, the word “crisis” is nowadays used to designate a difficult period experienced by an individual, a group, or in the case of a cyberattack: a company.
The French equivalent of the UK's Home Office has a division –IHEMI– which proposes the following definition: "a cyber crisis is a crisis related to a cyber attack which specifically targets the digital heritage, the technical infrastructures or the information systems of a company."
When it comes to tackling those cyber crises, crisis management must embrace several approaches:
Cyber crises are also quite specific. They encompass a series of risk factors:
Before embarking on the conceptualisation of crisis management, you must consider the variety of possible crisis scenarios for your business. There are many risks of computer hacking looming over companies. Those are listed by the government on its web page dedicated to cyber security breaches:
Cyber attacks target both private companies and public administrations. If you want cyber crisis management to be effective within your organisation, you should have all of your employees included in the process.
A recent study, “Cyber Insecurity: Managing Threats from Within” carried out by The Economist Intelligence Unit looked into how more than 300 executives, CIOs (Chief Information Officer) and CISOs (Chief Information Security Officer) manage cyber crises.
85% of respondents to this survey believe that human vulnerabilities constitute the number one threat to their company's cybersecurity. Technological breaches would then have less impact than staff or partners negligence. To go into details:
That is why an effective cyber crisis management needs to implement measures to train every employee of the company.
Crisis management includes as many steps upstream as steps downstream of the trigger event:
1 / Plan for the various crisis scenarios and develop the means to mitigate or prevent negative consequences.
2 / Internally spread a culture of cyber risk, and have a team design monitoring mechanisms to detect the warning signs of an incoming cyber attack;
3 / Train the teams to crisis management, taking into account what your risk mapping strategy has pointed out as the main risks, or even better, train them in compliance with an efficient quantification of cyber risks. These simulation exercises make it possible to assimilate procedures and methods, but also to identify potential failures before the onset of a potential crisis.
4 / Recognise the onset of the crisis: a sudden and unexpected event that corrupts the normal operation of the company. The event is serious, and threatens the stability of the organisation.
5 / Define the trigger event of the cyber crisis, if possible before it has serious consequences. This step boils down to specifying and confirming the type of cyberattack you are dealing with.
6 / Once the crisis has been confirmed, proceed to the “remediation” stage. In an emergency situation, it means taking immediate action to mitigate and contain the risk in a short term perspective. This may involve putting devices on standby, and making hard drive duplicates. You can also file a complaint as soon as possible with the competent authorities and report the possible theft of personal data.
7 / Mobilise your crisis response team. They will coordinate the actions of the different teams according to a pre-established crisis management plan. This body within the organisation will play the role of crisis manager and avoid chaos when the time of decision-making comes.
8 / Activate the various crisis management teams:
9 / Establish operational cyber crisis management procedures for each and every of the various teams. In the context of a cyber crisis, if you want to put an end to a cyber attack, your IT infrastructure first needs to go through a containment phase, before being restored.
10 / When the crisis is over, remove the extraordinary measures and start collecting feedback.
11 / Prepare for future crises by tightening up prevention measures. The IT department should reassess the IT’s resilience to potential other cyberattacks, in the interest of continuous improvement.
Crisis preparedness has three components: risk assessment, identification of crisis scenarios and simulation exercises.
An effective crisis management procedure necessarily includes a crisis preparation phase. It is about anticipating the risks, to prevent them better. Hackers are indeed capable of identifying weaknesses, whether they are relative to your cybersecurity, to your staff or to your structure. Being aware of those vulnerabilities allows you to manage crises more efficiently.
This assessment of your structural weaknesses generally implies conducting IT and organisational audits. You could also implement risk mapping, to prioritise your cybersecurity efforts and draw up potential cyber attack scenarios.
By imagining the course of a cyberattack on your computer systems, you also get a good preview of the potential errors that could boost its repercussions. Establishing scenarios therefore avoids the risk of problems piling up.
Try to picture the spontaneous reactions of your teams, include them in the process. Find the solutions that can help them remain calm and make decisions without improvising. Think about what emergency measures should be favoured: a system quarantine? A duplication of hard drives? Contacting a manager first?
These scenarios must be clearly written down and communicated to all employees. They have to remain easy to access in case of an emergency.
A proper cyber crisis management cannot be done without cyberattack simulation exercises. It can be an attack simulation drill; it can be an exercise where you mobilise, by surprise, the crisis response team; or it can also simply be a scenario for which you picture the chain reactions in the event of a cyber crisis.
Allow this simulation exercise between an hour and a day, depending on the number of subsidiaries involved in the process. You may also choose to condense the exercise, without respecting the actual crisis management time.
Ideally, the simulation should of course be based on a realistic stress scenario, which concerns a likely and serious risk to the company. Keep in mind, however, that this is just a simulation. The normal operation of your organisation should not actually be disturbed.
At every stage of crisis management, your organisation can rely on useful tools to improve or speed up the crisis resolution process.
As seen previously, crisis management follows a specific process through different stages. To each of these stages corresponds a specific tool, which can improve the process:
The corpus of documents of the crisis kit varies greatly between companies. It does, however, include some key strategic documents for a successful cyber crisis resolution:
The management of a cyber crisis is based on the traditional process of any crisis management. In general terms, it is necessary to anticipate the risks in order to be able to identify an incident due to a cybercrime. It is then necessary to mobilise the crisis unit and carry out the remediation procedures. Crisis management ends with the feedback analysis and the creation of a new cyber crisis management policy.
Cyber crises are often difficult to identify. With the exception of a denial of service attack, the consequences of which are immediately tangible, the IT department generally does not spot a cyber attack until after it has occurred, when it already seriously compromises data security, for example.
A cyber crisis can cripple your computer systems, or result in the theft of sensitive data. It can expose you to blackmail, or it might damage your reputation, and consequently your financial worth.
related to cyber risk quantification