The National Cyber Security Centre (NCSC) keeps warning about the multiplication of issues related to cybersecurity in companies in 2021. In such a context, its main recommendation is simple: British companies must prepare for cyberattacks, and to achieve that, they first and foremost need to train their crisis response teams now.
Who should be part of the crisis unit? Why should they be appointed upstream of the crisis? What are the risks of not creating a crisis response team now? The following offers a comprehensive guide to setting up a crisis response team and the procedures to make it efficient.
What is a crisis response team? It may also sometimes be referred to as “crisis management team”, or “crisis unit”. A common definition would be “the team who handles the crisis management of a company, both in terms of logistics and of crisis communication strategy”.
So, the core goal of the crisis management team consists in solving issues related to sensitive or critical situations. In detail, the crisis management team:
The crisis response team is an answer to abnormal, rare, and dangerous circumstances for the company. Its first role is to design a set of measures just as extraordinary as the situation. This must constitute a quick and effective framework for the crisis situation.
Doing so, the crisis response team offers a crisis resolution system focused on coordinating the management of activities and information. This transversal assignment regroups several complementary goals:
The risk audit makes it possible to determine the potential field of intervention of a company's crisis response team. Risk audit is generally seen as called for, in any situation that exposes the reputation of the company.
Those crises often result from an event capable of slowing down or stopping your activity. DDoS (Distributed Denial of Service) attacks, for example, render your website or your online services inaccessible. This is an example of a crisis situation. Another one might be a cybercrime damaging the image of your services, such as the theft of personal data. The decisions your crisis unit makes can be very different from a given crisis situation to another.
It is better to set up your crisis response team upstream of potential crises, after having assessed cyber risks and other potentially dangerous scenarios. Your crisis response team must bring together the strategic departments of the company:
You can also add to this team a spokesperson and a coordinator if need be. However, efforts must be made to restrict the crisis response team to a limited number of participants: keep in mind it needs to remain flexible and efficient. However, many organizations decide to seek help from outside experts:
A document must also detail the role of each member within the crisis response team, their objectives, and the means placed at their disposal. This file, often in the form of a table, needs to be updated regularly. Each member of the crisis unit must also be easily reachable: create a contact list.
A crisis management team takes a weight off the general management. It is a flexible tool, capable of adjusting to the crisis situation in real-time, following scenarios prepared in advance. Relying on a crisis response team will ensure:
However, setting up a crisis response team is not enough to solve the problem. For effective crisis management, you need a trained team and a clear distribution of tasks between members. Each member should also be included in the conceptualization of the business continuity plan. Crisis management can only be successful if the team members know the crisis management strategies before having to apply them.
Be also careful of the crisis response teams built around the authority of a single personality – the coordinator for instance– In order for the crisis unit to show the flexibility necessary for responsive crisis management, each member needs a sufficient degree of autonomy in their own field. When this is not the case, the crisis response team is slowed down by validation processes. It is then arduous to reach a quick and effective way out.
The organization of a crisis response team is carried out both before the onset of a crisis and after. In any case, it follows precise procedures supported by specific tools.
What does the process of setting up a crisis response team look like in the event of crisis management applied to cybersecurity. Here we take the case of a Denial of Service attack, which blocks access to your online services.
For an effective crisis response team, you need to define the type of risks that threaten the company. This typology also means that you need to establish a cyber risk map.
The constitution of the crisis unit greatly depends on the risks that you assess as priorities for your organization. Those are potentially very serious threats to your business benefits and stakeholders both.
The identification of those risks – cyber risks in this example – determines the composition of the crisis response team and the planning of its tasks. Taking into account the risk of a Denial of Service attack requires including the information systems security manager (ISSM) in the crisis unit.
When the crisis response team is being prepared, there is a need to conceptualize a “crisis guide” specifying the procedures, tools, and responsibilities in troubled times. It must include the table previously mentioned, it details the identity of each member, their contact information, their role, and their degree of autonomy in decision-making.
This guide may also include a document listing the equipment placed at the service of the crisis response team and how it works. In the case of a DDoS cyberattack, it may be a switchboard dedicated to Internet users' questions. You may also want to plan for extra computers, dedicated email addresses, etc.
This crisis guide also needs to feature the logistics structure of the crisis unit, as well as its chain of command. The general idea is to facilitate the action of the crisis response team to avert unknown sources of errors on D-day.
The members of the crisis response team must be aware of the major risks. They must also train, along with their respective teams, to recognize the signs of a possible emerging crisis. In the case of a Denial of Service attack, for example, there are unexplained traffic spikes or a sudden slowdown in your online service.
If your crisis unit detects such signals, all its members must be alerted to ensure the unit’s proactivity in crisis management. Then, they check that this is not a false alarm. In the event of a suspected DDoS, a simple DNS configuration error may be enough to slow down online services.
Finally, the crisis response team needs a reference document listing the various questions and the corresponding solutions they need to ask themselves in the event of a crisis. The style and content must be the same for every team member called upon to speak.
Indeed, if you want to convince, your crisis communication needs to show consistency. However, it must also take into account the diversity of your targets. Your investors probably don't expect the same information as the general public. Besides, your crisis communication has to plan for arguments and counterarguments at the same time.
In the event of a real crisis, the crisis response team juggles procedures, the theory in documents, the experience from drills, and the specific characteristics of the current crisis. If you want your crisis response team to succeed, they must follow these steps:
1 / When someone detects a pre-alert or an alert, they must inform the coordinator of the crisis response team and the appropriate managers. In the case of a cyberattack, this is usually the IT director. The IT director must then collect as much information as possible on the anomaly. He or she then decides whether the risk is serious enough to mobilize the crisis response team. Mustering the crisis management team must be done quickly, step by step, in accordance with a predefined diagram.
2 / Ideally, the crisis response team meets at the company's headquarters in a dedicated room containing all the necessary equipment.
3 / The crisis unit is set in motion according to the pre-existing table of responsibilities. Each action is reported in the “crisis book”.
4 / Team members in charge of communication collect information on the crisis – on the cyberattack, for the sake of this example – They exploit the prepared arguments from the reference document (see point 4 of the previous section) to adapt this data to different audiences: media, board of directors, customers, etc.
5 / The spokesperson communicates with the media, alone if possible, to avoid contradictory messages which would only worry the target audience. Transparency guarantees the success of crisis communication.
After the storm the report that the crisis response team formulates on its management – also called a “crisis book” – can serve as a support to improve the operation of the company in the event of future crises.
The crisis response team, or crisis unit, anticipates the risks threatening the organization. This team manages the crisis when it occurs, centralizes information, and draws lessons from what happened.
Assembling a crisis response team has to be done upstream of the actual outbreak of a crisis. It brings together all the representatives of the departments that support the operation of the company.
When a crisis occurs, things move really fast, decision-making needs to be meticulous and effective. If roles and responsibilities within the team are not clearly distributed to a dedicated task force, employees will take actions that risk being overlapping and contradictory with one another. The whole organization may then very well be compromised, the crisis will feed on itself, with everyone pointing at each other. Very hard then to draw lessons from the whole experience. Having a crisis management team helps prevent that.
related to cyber risk quantification