The National Cyber Security Centre (NCSC) continuously warns businesses about the proliferation of issues related to cybersecurity in 2022. In such a context, its main recommendation is simple: British companies must prepare for cyberattacks, and to achieve that, they first and foremost need to train their crisis response teams – and now!
Who should be part of the crisis unit? Why should they be appointed upstream of the crisis? What are the risks of not creating a crisis response team now? The following article offers a comprehensive guide of the procedures needed to set up an effective crisis response team.
What is a “crisis response team”, “crisis management team”, or “crisis unit”? In everyday terms, we could say that it is “the team that handles the crisis management of a company, both in terms of logistics and crisis communication strategy”.
So, the core goal of the crisis management team consists of solving issues related to sensitive or critical situations. In detail, the crisis management team:
The crisis response team is an answer to abnormal, rare, and dangerous circumstances for the company. Its first role is to design a set of measures just as extraordinary as the situation, which must constitute a quick and effective framework for a crisis situation.
In doing so, the crisis response team offers a crisis resolution system focused on coordinating the management of activities and information. This multidisciplinary assignment brings together several complementary goals:
A risk audit makes it possible to determine the potential field of intervention of a company's crisis response team. Risk audits are generally necessary in any situation that exposes the reputation of the company.
Crises often result from an event capable of slowing down or stopping your activity. DDoS (Distributed Denial of Service) attacks, for example, render your website or your online services inaccessible. This is an example of a crisis situation. Another might be a cybercrime damaging the reputation of your services, such as the theft of personal data. Faced with a varied array of potential risks, the decisions your crisis unit makes can be very different from one given crisis situation to another.
It is better to set up your crisis response team upstream of potential crises, after having assessed cyber risks and other potentially dangerous scenarios. Your crisis response team must bring together strategic departments within the company:
If necessary, you could also designate a spokesperson and a coordinator for the team. However, efforts must be made to restrict the crisis response team to a limited number of participants – keep in mind that it has to remain flexible and efficient. Alternatively, many organisations decide to seek help from outside experts:
A document should also be in place that details the role of each member within the crisis response team, their objectives, and the means placed at their disposal. This file, often in the form of a table, needs to be updated regularly. Each member of the crisis unit must also be easily reachable – it is a good idea to create a contact list.
Having a crisis management team should relieve some pressure from general management. It is a flexible tool, capable of adjusting to a crisis situation in real time, following scenarios prepared in advance. Relying on a crisis response team will ensure that:
Setting up a crisis response team, however, is not, in itself, enough to solve the problem. For effective crisis management, you need a trained team and a clear distribution of tasks between members. Each member should also be included in the conceptualisation of the business continuity plan, as crisis management can only be successful if the team members understand crisis management strategies before having to apply them.
Similarly, be careful not to build a crisis response teams around the authority of a single person – the coordinator, for instance. In order for the crisis unit to show the flexibility necessary for responsive crisis management, each member requires a sufficient degree of autonomy in their own field. When this parameter is not respected, crisis response teams can be slowed down by lengthy validation processes, making it arduous to reach a quick and effective way out of a situation.
The organisation of a crisis response team is carried out both before the onset of a crisis and after. In any case, it follows precise procedures supported by specific tools.
What does the process of setting up a crisis response team look like in the event of crisis management applied to cybersecurity? Here we take the case of a Denial of Service attack, which blocks access to your online services.
For an effective crisis response team, you need to define the types of risk that threaten the company. This is precisely the idea behind establishing a cyber risk map.
The make-up of a crisis unit greatly depends on the risks that you assess as priorities for your organisation, such as potentially serious threats to your business, stakeholders, or both.
The identification of those risks – cyber risks in this example – determines the composition of the crisis response team and the planning of its tasks. Taking into account the risk of a Denial of Service attack requires including the information systems security manager (ISSM) in the crisis unit.
When the crisis response team is being prepared, it is necessary to design a “crisis guide” that lays out procedures, tools, and responsibilities when an attack strikes. It must include the table previously mentioned and specify the identity of each member, their contact details, role, and degree of autonomy in decision-making.
This guide may also include a document listing the equipment placed at the service of the crisis response team and how it works. In the case of a DDoS cyberattack, it may be a switchboard dedicated to internet users' questions, for example. You may also want to plan for extra computers, dedicated email addresses, etc.
This crisis guide also needs to feature the crisis unit’s logistical structure and chain of command. The general idea is to facilitate the action of the crisis response team to avert unknown sources of errors on D-Day.
The members of the crisis response team must be aware of the major risks. They must also train, along with their respective teams, to recognise the signs of a possible emerging crisis. In the case of a Denial of Service attack, for example, you may notice unexplained traffic spikes or a sudden slowdown in your online service.
If your crisis unit detects such signals, all its members must be alerted to ensure the unit’s proactivity in crisis management. Then, they check that this is not a false alarm. You may suspect a DDoS, but a simple DNS configuration error could, after all, be slowing down online services.
Finally, the crisis response team needs a reference document listing the various questions and the corresponding solutions to run through in the event of a crisis. The style and content must be the same for every team member called upon to speak.
Indeed, in order to be impactful, your crisis communication needs to show consistency. However, it must also take into account the diversity of your targets – your investors probably don't expect the same information as the general public. Besides, your crisis communication has to plan for arguments and counterarguments at the same time.
In the event of a real crisis, the crisis response team has to keep up a juggling act between procedures to put in place, documentation theory, experience from drills, and the specific characteristics of the current crisis. If you want your crisis response team to succeed, they must follow these steps:
1 / When someone detects a pre-alert or an alert, they must inform the coordinator of the crisis response team and the appropriate managers. In the case of a cyberattack, this is usually the IT director. The IT director must then collect as much information as possible on the anomaly, then decide whether the risk is serious enough to mobilise the crisis response team. Mustering the crisis management team must be done quickly, step by step, in accordance with a predefined diagram.
2 / Ideally, the crisis response team meets at the company's headquarters in a dedicated room containing all the necessary equipment.
3 / The crisis unit is set in motion according to the pre-existing table of responsibilities, with each action being logged in a “crisis book”.
4 / Team members in charge of communication collect information on the crisis – on the cyberattack, for the sake of this example – and then exploit the prepared arguments from the reference document (see point 4 of the previous section) to adapt this data to different audiences: media, board of directors, customers, etc.
5 / The spokesperson communicates with the media, alone if possible, to avoid contradictory messages which would only worry the target audience. Transparency guarantees the success of crisis communication.
After the storm, the report that the crisis response team prepares on how it managed the crisis – also called a “crisis book” – can serve as a resource for improving the company’s operation in the event of future crises.
The crisis response team, or crisis unit, anticipates the risks that threaten an organisation. The team manages a crisis when it occurs, centralises information, and draws lessons from what happened.
Assembling a crisis response team has to be done upstream of the actual outbreak of a crisis. It brings together all the representatives of the departments that support the operation of the company.
Things can be fast-moving in a crisis situation, so decision-making needs to be meticulous and effective. If roles and responsibilities within the team are not clearly distributed to a dedicated task force, employees will take actions that risk overlapping or contradicting one another. The whole organisation may then be compromised: the crisis will only deepen, with everyone pointing the finger at each other. It then becomes hard to draw lessons from the whole experience. Put simply, having a crisis management team helps prevent that.
related to cybersecurity and cyber risk quantification (CRQ)