Crisis response team

How to manage the aftermath of a cyber attack?

Who should be part of the crisis unit? Why should they be appointed upstream of the crisis? What are the risks of not creating a crisis response team now? The following offers a comprehensive guide to setting up a crisis response team and the procedures to make it efficient.

Published on 13 August 2021 (Updated on 17 June 2022)

The National Cyber Security Centre (NCSC) keeps warning about the multiplication of issues related to cybersecurity in companies in 2021. In such a context, its main recommendation is simple: British companies must prepare for cyberattacks, and to achieve that, they first and foremost need to train their crisis response teams now.

Who should be part of the crisis unit? Why should they be appointed upstream of the crisis? What are the risks of not creating a crisis response team now? The following offers a comprehensive guide to setting up a crisis response team and the procedures to make it efficient.

Crisis response team: a definition

What is a crisis response team? It may also sometimes be referred to as “crisis management team”, or “crisis unit”. A common definition would be “the team who handles the crisis management of a company, both in terms of logistics and of crisis communication strategy”.

So, the core goal of the crisis management team consists in solving issues related to sensitive or critical situations. In detail, the crisis management team:

  • is in charge of implementing preventive actions;
  • limits the impact an emerging crisis may have on the activities and the survival of the organization;
  • protects, at the same time, the reputation and the potential financial valuation of the company in the face of a crisis situation.
Assembling crisis response team crisis

What is the role of a crisis response team?

The crisis response team is an answer to abnormal, rare, and dangerous circumstances for the company. Its first role is to design a set of measures just as extraordinary as the situation. This must constitute a quick and effective framework for the crisis situation.

Doing so, the crisis response team offers a crisis resolution system focused on coordinating the management of activities and information. This transversal assignment regroups several complementary goals:

  • centralizing data to avoid misinterpretation risks;
  • controlling communication and clarity of messages;
  • conceptualizing and planning the crisis management;
  • coordinating resources related to crisis resolution;
  • disseminating the right messages to the press, stakeholders, and the general public.

In what types of context is it called for to establish a crisis unit?

The risk audit makes it possible to determine the potential field of intervention of a company's crisis response team. Risk audit is generally seen as called for, in any situation that exposes the reputation of the company.

Those crises often result from an event capable of slowing down or stopping your activity. DDoS (Distributed Denial of Service) attacks, for example, render your website or your online services inaccessible. This is an example of a crisis situation. Another one might be a cybercrime damaging the image of your services, such as the theft of personal data. The decisions your crisis unit makes can be very different from a given crisis situation to another.

Who should be in your crisis response team?

It is better to set up your crisis response team upstream of potential crises, after having assessed cyber risks and other potentially dangerous scenarios. Your crisis response team must bring together the strategic departments of the company:

  • general management;
  • site directors, if applicable;
  • communication management ;
  • legal affairs management;
  • quality management;
  • heads of relevant departments, in particular the Cyber and Information Systems Division, in the event of cyberattacks.

You can also add to this team a spokesperson and a coordinator if need be. However, efforts must be made to restrict the crisis response team to a limited number of participants: keep in mind it needs to remain flexible and efficient. However, many organizations decide to seek help from outside experts:

  • crisis management consultants;
  • crisis communication experts;
  • legal practitioners, lawyers in particular;
  • cybersecurity consultants if the crisis occurs because of a cyber incident.

A document must also detail the role of each member within the crisis response team, their objectives, and the means placed at their disposal. This file, often in the form of a table, needs to be updated regularly. Each member of the crisis unit must also be easily reachable: create a contact list.

Composition of the crisis unit

Pros and cons of a crisis management team

A crisis management team takes a weight off the general management. It is a flexible tool, capable of adjusting to the crisis situation in real-time, following scenarios prepared in advance. Relying on a crisis response team will ensure:

  • Preparation in case of a crisis, it mitigates its negative impacts and improves the resilience of the company;
  • That crisis situations become less frequent;
  • The crisis response team ensures business continuity.

However, setting up a crisis response team is not enough to solve the problem. For effective crisis management, you need a trained team and a clear distribution of tasks between members. Each member should also be included in the conceptualization of the business continuity plan. Crisis management can only be successful if the team members know the crisis management strategies before having to apply them.

Be also careful of the crisis response teams built around the authority of a single personality – the coordinator for instance– In order for the crisis unit to show the flexibility necessary for responsive crisis management, each member needs a sufficient degree of autonomy in their own field. When this is not the case, the crisis response team is slowed down by validation processes. It is then arduous to reach a quick and effective way out.

How to organize a crisis response team?

The organization of a crisis response team is carried out both before the onset of a crisis and after. In any case, it follows precise procedures supported by specific tools.

What does the process of setting up a crisis response team look like in the event of crisis management applied to cybersecurity. Here we take the case of a Denial of Service attack, which blocks access to your online services.

Upstream of the crisis

For an effective crisis response team, you need to define the type of risks that threaten the company. This typology also means that you need to establish a cyber risk map.

1. Define the risks to make up the team

The constitution of the crisis unit greatly depends on the risks that you assess as priorities for your organization. Those are potentially very serious threats to your business benefits and stakeholders both.

The identification of those risks – cyber risks in this example – determines the composition of the crisis response team and the planning of its tasks. Taking into account the risk of a Denial of Service attack requires including the information systems security manager (ISSM) in the crisis unit.

2. Creation of the crisis guide

When the crisis response team is being prepared, there is a need to conceptualize a “crisis guide” specifying the procedures, tools, and responsibilities in troubled times. It must include the table previously mentioned, it details the identity of each member, their contact information, their role, and their degree of autonomy in decision-making.

This guide may also include a document listing the equipment placed at the service of the crisis response team and how it works. In the case of a DDoS cyberattack, it may be a switchboard dedicated to Internet users' questions. You may also want to plan for extra computers, dedicated email addresses, etc.

This crisis guide also needs to feature the logistics structure of the crisis unit, as well as its chain of command. The general idea is to facilitate the action of the crisis response team to avert unknown sources of errors on D-day.

3. Set up a monitoring procedure

The members of the crisis response team must be aware of the major risks. They must also train, along with their respective teams, to recognize the signs of a possible emerging crisis. In the case of a Denial of Service attack, for example, there are unexplained traffic spikes or a sudden slowdown in your online service.

If your crisis unit detects such signals, all its members must be alerted to ensure the unit’s proactivity in crisis management. Then, they check that this is not a false alarm. In the event of a suspected DDoS, a simple DNS configuration error may be enough to slow down online services.

Identifying pre-alert signals

4. Prepare the arguments

Finally, the crisis response team needs a reference document listing the various questions and the corresponding solutions they need to ask themselves in the event of a crisis. The style and content must be the same for every team member called upon to speak.

Indeed, if you want to convince, your crisis communication needs to show consistency. However, it must also take into account the diversity of your targets. Your investors probably don't expect the same information as the general public. Besides, your crisis communication has to plan for arguments and counterarguments at the same time.

Once the crisis has begun

In the event of a real crisis, the crisis response team juggles procedures, the theory in documents, the experience from drills, and the specific characteristics of the current crisis. If you want your crisis response team to succeed, they must follow these steps:

1 / When someone detects a pre-alert or an alert, they must inform the coordinator of the crisis response team and the appropriate managers. In the case of a cyberattack, this is usually the IT director. The IT director must then collect as much information as possible on the anomaly. He or she then decides whether the risk is serious enough to mobilize the crisis response team. Mustering the crisis management team must be done quickly, step by step, in accordance with a predefined diagram.

2 / Ideally, the crisis response team meets at the company's headquarters in a dedicated room containing all the necessary equipment.

3 / The crisis unit is set in motion according to the pre-existing table of responsibilities. Each action is reported in the “crisis book”.

4 / Team members in charge of communication collect information on the crisis – on the cyberattack, for the sake of this example – They exploit the prepared arguments from the reference document (see point 4 of the previous section) to adapt this data to different audiences: media, board of directors, customers, etc.

5 / The spokesperson communicates with the media, alone if possible, to avoid contradictory messages which would only worry the target audience. Transparency guarantees the success of crisis communication.

After the storm the report that the crisis response team formulates on its management – also called a “crisis book” – can serve as a support to improve the operation of the company in the event of future crises.

Internal communications priority crisis

Frequently asked questions about crisis response team

The crisis response team, or crisis unit, anticipates the risks threatening the organization. This team manages the crisis when it occurs, centralizes information, and draws lessons from what happened.

Assembling a crisis response team has to be done upstream of the actual outbreak of a crisis. It brings together all the representatives of the departments that support the operation of the company.

When a crisis occurs, things move really fast, decision-making needs to be meticulous and effective. If roles and responsibilities within the team are not clearly distributed to a dedicated task force, employees will take actions that risk being overlapping and contradictory with one another. The whole organization may then very well be compromised, the crisis will feed on itself, with everyone pointing at each other. Very hard then to draw lessons from the whole experience. Having a crisis management team helps prevent that.