Crisis management: how to effectively manage a cyber crisis

What is a cybersecurity crisis?

To understand what crisis management in cybersecurity means, it is first necessary to recall the definitions of concepts like crisis, crisis management, and cyberattacks.

How to define a cyber crisis, and subsequently, cyber crisis management

The word “crisis” originates from the Latinised form of the Greek word “krisis”, which designates the moment when an illness reaches a critical point, either leading to recovery or death. By extension, the word “crisis” is nowadays used to designate a difficult period experienced by an individual, a group, or – in the case of an IT failure – a company.

The French equivalent of the UK's Home Office has a division –IHEMI– which offers the following definition: "a cyber crisis is a crisis related to a cyber attack which specifically targets the digital heritage, the technical infrastructures or the information systems of a company."

When it comes to tackling those cyber crises, crisis management must embrace several approaches:

• prevention of crises before they occur;
• application of a crisis resolution procedure after an IT failure has been confirmed and identified.;
• mobilisation of techniques and means to counter it;
• improvement of the crisis management procedure in regard to experience feedback.

Cyber ​​crises are also quite specific. They encompass a series of risk factors:

• A cyber crisis is almost always related to an IT matter, which is by essence rather technical;
• It is often spotted quite late, when the hacker has already been operating for several months;
• Its repercussions are generally massive and there is a psychological impact, internally and externally to your organisation, on your employees' morale as well as on how your company' reputation;
• It calls for transversal management by stakeholders who are not always used to collaborating with one another;
• It prevents the use of traditional communication tools, because they, too, may have been compromised;
• Exiting a cyber crisis is rarely a fast procedure.

Different types of cybersecurity crises

Before beginning to design your crisis management programme, you must first consider the variety of possible crisis scenarios for your business. The risk of computer hacking looms over companies. The different types of risks are listed by the UK government on its web page dedicated to cybersecurity breaches:

• Cybercrime consists in illegally obtaining personal data in order to exploit or resell them. Resorting to phishing methods is a cybercrime, just like using ransomware.
• Image damage generally means replacing the official content that your company posts online with political or religious claims or with comments that may harm your reputation.
• Spy attacks involve either a political or an economic agenda. In this case, the hacker obtains access to your computer system, using it to exploit your data with long term intentions
• Sabotage is when an organised failure, such as a Distributed Denial of Service attack (widely referred to as DDoS attack) disrupts your business, having a considerable impact on your users.

Who should be involved in cyber crisis management?

Cyber​​attacks target both private companies and public administrations. If you want cyber crisis management to be effective within your organisation, you should include all of your employees in the process.

A recent study, “Cyber ​​Insecurity: Managing Threats from Within” carried out by The Economist Intelligence Unit looked into how more than 300 executives, CIOs (Chief Information Officers) and CISOs (Chief Information Security Officers) manage cyber crises.

85% of respondents to this survey believe that human vulnerabilities constitute the number one threat to their company's cybersecurity. If this is true, then technological breaches have less impact than staff or partner negligence. In more detail:

• 48% of cyberattacks are perpetuated through a company's client;
• 43% through its employees;
• 38% through temporary employees.

That is why effective cyber crisis management needs to implement measures to train every employee of the company.

‍

What does the crisis management process need to include?

Crisis management includes as many steps upstream as those downstream of the trigger event:

1 / Plan for the various crisis scenarios and develop the means to mitigate or prevent negative consequences.

2 / Internally spread a culture of cyber risk awareness, and have a team design monitoring mechanisms to detect the warning signs of an incoming cyberattack;

3 / Provide training to your teams on crisis management, taking into account what your risk mapping strategy has pointed out as the main risks, or even better, train them in compliance with a precise quantification of cyber risks. These simulation exercises make it possible to assimilate procedures and methods, but also to identify potential failures before the onset of a genuine crisis

4 / Recognise the onset of the crisis: a sudden and unexpected event that corrupts the normal operation of the company. The event is serious, and threatens the stability of the organisation.

5 / Define the trigger event of the cyber crisis, if possible before it has serious consequences. This step boils down to specifying and confirming the type of cyberattack you are dealing with.

6 / Once the crisis has been confirmed, proceed to the “remediation” stage. In an emergency situation, this means taking immediate action to mitigate and contain the risk in the short term. This may involve putting devices on standby or duplicating hard drives. You can also file a complaint as soon as possible with the relevant authorities and report the possible theft of personal data.

7 / Mobilise your crisis response team. They will coordinate the various teams’ actions according to a pre-established crisis management plan. This body within the organisation will play the role of crisis manager and avoid potential chaos when decisions need to be taken.

8 / Activate the various crisis management teams:

• customer relations, who field questions from consumers or users;
• internal communications, who communicate with employees;
• external communications, responsible for the overall coordination of crisis communication in the event of a cyberattack;
• the audit team, who identify the cyberattack and assess the state of the computer network, thereby measuring the extent of the damage;
• developers, who ensure business continuity by booting a backup system.

9 / Establish operational cyber crisis management procedures for each and every one of the various teams. In the context of a cyber crisis, if you want to put an end to a cyberattack, your IT infrastructure first needs to go through a containment phase, before being restored.

10 / When the crisis is over, lift any extraordinary measures and start collecting feedback.

11 / Prepare for future crises by tightening up prevention measures. The IT department should reassess the system’s resilience to potential other cyberattacks, in the interest of continuous improvement.

Crisis management: How to prepare for a crisis situation?

Crisis preparedness depends on three components: risk assessment, identification of crisis scenarios, and simulation exercises.

Assessing the cyber risks that threaten the company

An effective crisis management procedure necessarily includes a crisis preparation phase. It is all about anticipating risk, to better prevent it. Hackers are indeed capable of identifying weaknesses, whether they are relative to your cybersecurity, to your staff, or to your structure. Being aware of those vulnerabilities allows you to manage crises more efficiently.

This assessment of your structural weaknesses generally implies conducting IT and organisational audits. You could also implement risk mapping, to prioritise your cybersecurity efforts and draw up potential cyberattack scenarios.

Anticipating computer attack scenarios

By imagining the course of a cyberattack on your computer systems, you also get a good preview of the potential errors that could catalyse its repercussions. Establishing scenarios therefore avoids the risk of problems piling up.

Try to picture the spontaneous reactions of your teams, including them in the process. Find the solutions that can help them remain calm and make decisions without improvising. Think about what emergency measures should be favoured: a system quarantine? A duplication of hard drives? Contacting a manager first?

These scenarios must be clearly written down and communicated to all employees. They have to remain easy to access in case of an emergency.

Training for crisis management

True cyber crisis management cannot be effective without cyberattack simulation exercises. This can be an attack simulation drill; it can be an exercise where you mobilise, by surprise, the crisis response team; or it can also simply be a scenario for which you picture the chain reactions in the event of a cyber crisis.

Allow this simulation exercise to run between an hour and a day, depending on the number of partners involved in the process. You may also choose to condense the exercise, without respecting the actual crisis management time.

Ideally, the simulation should, of course, be based on a realistic stress scenario, which concerns a likely and serious risk to the company. Keep in mind, however, that this is just a simulation. The normal operation of your organisation should not actually be disturbed.

The tools for a proper crisis management

As seen previously, crisis management follows a specific process through different stages. Each of these stages corresponds to a specific tool, which can improve the process:

• Cyber monitoring enables your teams to stay informed of the occurrence of events likely to affect the website or the IT system in real time;
• The vulnerability audit is part of the cyber crisis prevention process and is also part of risk assessment;
• Incident reporting can be conducted via a form which enables teams to clearly communicate the right information when a risk has been detected. It avoids disrupted communication in stressful circumstances.
• The crisis logbook, or crisis handbook, facilitates factual communication of information without distorting reality, which can occur when team members are forced to interpret partial or unreliable information. It also constitutes a written testimony of the progress of operations to analyse retrospectively how the crisis management was carried out;
• Call filtering helps optimise communication with the outside world, especially with the press;
• EMNS, which stands for Emergency Mass Notification System, is designed to alert the stakeholders responsible for taking urgent protective measures regarding cyberattacks: employees, suppliers, or customers;
• The crisis management policy chronologically details the procedures each team is expected to follow. It also includes a “crisis kit” which compiles various files useful for crisis management.

The crisis kit

The corpus of documents of the crisis kit varies greatly between companies. It does, however, include some key strategic documents for a successful cyber crisis resolution:

• The “trigger matrix” includes a series of criteria to assess whether the current incident is indeed a cyberattack;
• The list of internal means to fight against cybercrime: firewalls and antivirus software, backup system, alert system, etc.
• The contact information of public partners that you may need to liaise with: police station, Crown Prosecution Service;
• The reflex action sheets detail the crisis resolution procedures that your employees must follow step-by-step;
• The phone tree indicates in which order the members of the crisis response team should be contacted.

‍