A cyber crisis is when an IT system fails and becomes unavailable, potentially resulting in serious disturbance to your organisation. Normal business processes are not enough to mitigate such consequences. This is why a cyber crisis constitutes a major challenge, especially in 2022, when cybersecurity equates to a massive issue for companies.
Despite how serious it is, a cyber crisis can be contained. To cope with a cyber crisis situation, decision-making as well as implementation must be executed in a timely manner. This is the role of crisis management: overseeing that procedures are strictly followed to ensure that cyberattacks have a reduced impact on your organisation.
To understand what crisis management in cybersecurity means, it is first necessary to recall the definitions of concepts like crisis, crisis management, and cyberattacks.
The word “crisis” originates from the Latinised form of the Greek word “krisis”, which designates the moment when an illness reaches a critical point, either leading to recovery or death. By extension, the word “crisis” is nowadays used to designate a difficult period experienced by an individual, a group, or – in the case of an IT failure – a company.
The French equivalent of the UK's Home Office has a division –IHEMI– which offers the following definition: "a cyber crisis is a crisis related to a cyber attack which specifically targets the digital heritage, the technical infrastructures or the information systems of a company."
When it comes to tackling those cyber crises, crisis management must embrace several approaches:
Cyber crises are also quite specific. They encompass a series of risk factors:
Before beginning to design your crisis management programme, you must first consider the variety of possible crisis scenarios for your business. The risk of computer hacking looms over companies. The different types of risks are listed by the UK government on its web page dedicated to cybersecurity breaches:
Cyberattacks target both private companies and public administrations. If you want cyber crisis management to be effective within your organisation, you should include all of your employees in the process.
A recent study, “Cyber Insecurity: Managing Threats from Within” carried out by The Economist Intelligence Unit looked into how more than 300 executives, CIOs (Chief Information Officers) and CISOs (Chief Information Security Officers) manage cyber crises.
85% of respondents to this survey believe that human vulnerabilities constitute the number one threat to their company's cybersecurity. If this is true, then technological breaches have less impact than staff or partner negligence. In more detail:
That is why effective cyber crisis management needs to implement measures to train every employee of the company.
Crisis management includes as many steps upstream as those downstream of the trigger event:
1 / Plan for the various crisis scenarios and develop the means to mitigate or prevent negative consequences.
2 / Internally spread a culture of cyber risk awareness, and have a team design monitoring mechanisms to detect the warning signs of an incoming cyberattack;
3 / Provide training to your teams on crisis management, taking into account what your risk mapping strategy has pointed out as the main risks, or even better, train them in compliance with a precise quantification of cyber risks. These simulation exercises make it possible to assimilate procedures and methods, but also to identify potential failures before the onset of a genuine crisis
4 / Recognise the onset of the crisis: a sudden and unexpected event that corrupts the normal operation of the company. The event is serious, and threatens the stability of the organisation.
5 / Define the trigger event of the cyber crisis, if possible before it has serious consequences. This step boils down to specifying and confirming the type of cyberattack you are dealing with.
6 / Once the crisis has been confirmed, proceed to the “remediation” stage. In an emergency situation, this means taking immediate action to mitigate and contain the risk in the short term. This may involve putting devices on standby or duplicating hard drives. You can also file a complaint as soon as possible with the relevant authorities and report the possible theft of personal data.
7 / Mobilise your crisis response team. They will coordinate the various teams’ actions according to a pre-established crisis management plan. This body within the organisation will play the role of crisis manager and avoid potential chaos when decisions need to be taken.
8 / Activate the various crisis management teams:
9 / Establish operational cyber crisis management procedures for each and every one of the various teams. In the context of a cyber crisis, if you want to put an end to a cyberattack, your IT infrastructure first needs to go through a containment phase, before being restored.
10 / When the crisis is over, lift any extraordinary measures and start collecting feedback.
11 / Prepare for future crises by tightening up prevention measures. The IT department should reassess the system’s resilience to potential other cyberattacks, in the interest of continuous improvement.
Crisis preparedness depends on three components: risk assessment, identification of crisis scenarios, and simulation exercises.
An effective crisis management procedure necessarily includes a crisis preparation phase. It is all about anticipating risk, to better prevent it. Hackers are indeed capable of identifying weaknesses, whether they are relative to your cybersecurity, to your staff, or to your structure. Being aware of those vulnerabilities allows you to manage crises more efficiently.
This assessment of your structural weaknesses generally implies conducting IT and organisational audits. You could also implement risk mapping, to prioritise your cybersecurity efforts and draw up potential cyberattack scenarios.
By imagining the course of a cyberattack on your computer systems, you also get a good preview of the potential errors that could catalyse its repercussions. Establishing scenarios therefore avoids the risk of problems piling up.
Try to picture the spontaneous reactions of your teams, including them in the process. Find the solutions that can help them remain calm and make decisions without improvising. Think about what emergency measures should be favoured: a system quarantine? A duplication of hard drives? Contacting a manager first?
These scenarios must be clearly written down and communicated to all employees. They have to remain easy to access in case of an emergency.
True cyber crisis management cannot be effective without cyberattack simulation exercises. This can be an attack simulation drill; it can be an exercise where you mobilise, by surprise, the crisis response team; or it can also simply be a scenario for which you picture the chain reactions in the event of a cyber crisis.
Allow this simulation exercise to run between an hour and a day, depending on the number of partners involved in the process. You may also choose to condense the exercise, without respecting the actual crisis management time.
Ideally, the simulation should, of course, be based on a realistic stress scenario, which concerns a likely and serious risk to the company. Keep in mind, however, that this is just a simulation. The normal operation of your organisation should not actually be disturbed.
As seen previously, crisis management follows a specific process through different stages. Each of these stages corresponds to a specific tool, which can improve the process:
The corpus of documents of the crisis kit varies greatly between companies. It does, however, include some key strategic documents for a successful cyber crisis resolution:
Cyber crisis management is based on the traditional process of any crisis management. In general terms, it is necessary to anticipate the risks in order to be able to identify an incident caused by cybercrime. It is then necessary to mobilise the crisis unit and carry out the remediation procedures. Crisis management ends with the feedback analysis and the creation of a new cyber crisis management policy.
Cyber crises are often difficult to identify. With the exception of a denial of service attack, the consequences of which are immediately tangible, the IT department generally does not spot a cyberattack until after it has occurred, when it already seriously compromises data security, for example.
A cyber crisis can cripple your computer systems, or result in the theft of sensitive data. It can expose you to blackmail, or it might damage your reputation, and consequently your financial worth.
related to Cyber Risk Quantification (CRQ) and cybersecurity