The number of cyber-attacks is increasing at an unprecedented rate with no two being the same. We sat down with Nick Prescot (Senior Manager, UK Cybersecurity practice) to discuss cyber crisis management and some key considerations to help C-level executives prepare for a cyber-attack.
What do we mean by Cyber Crisis Management?
Cyber crisis management encompasses 3 key areas:
Firstly, there is the cyber resilience side of things. You can liken this to an elastic band – how far it stretches is representative of how much a business can take away from its day-to-day operations in the face of a cyber-attack, how much redundancy is in place and how many layers of triage exist. High availability businesses with a strong resilience strategy for example, may be able to deal with 1-2 incidents at the same time before operations are compromised.
Secondly, you’ve got the actual cyber response element. This is about the ability to detect and respond to the cyber-attack as quickly and effectively as possible. Well-established cyber playbooks covering a variety of incidents and scenarios will allow you detect, react and respond accordingly. They will help answer key questions such as: how do you detect the bad guys actually getting in? … and what do you do once they’re in?
Finally, there’s cyber recovery. This occurs post-crisis and looks at how a business returns its IT estate to BAU operations. Cyber recovery is all about having a strategy to rebuild on the assumption that everything has gone (e.g. ‘earth-scorched’ scenario). For example, some organisations have pre-stored copies of critical information in a secure vault to allow them to rebuild and restore as necessary.
How can C-level executives understand and make sure they’re prepared for those attacks?
Simply, prepare for the worst; not too distant from that saying in the military of…train hard and fight easy. A key message for top management in any organisation is that an effective response starts way before the attack might occur. Have those crisis management plans in place, test, refine and test again. Know likely attack-scenarios and build flexibility into your plans to ensure that they are not too dogmatic in their application and still allow you to respond to the real-time threat.
C-level executives need to have a pragmatic and robust security posture, making sure that they practice table-top exercises and run red-team tests on a routine basis.
We’ve found that the real effectiveness of running simulation exercises, comes when you mix the cyber and the real world together. For example, previously we’ve helped a global insurer understand what they might do if the crisis team’s situation room was suddenly unavailable due to terrorist attack (… an extreme example of course).
On a similar note, top management must prepare for the ‘n+1’ type scenarios. For example, many crisis response plans assume there is still email access, but what if this has been knocked out as part of the cyber-attack? In this situation, one solution may be to use a predefined WhatsApp network to call, message and share information. I’ve even worked with a couple of companies who have their business continuity plans on WhatsApp.
Additionally, C-level executives need to take a pragmatic look at what information they’re really looking to protect; is it financial, personal, employee-related? Notably, for an increasing number of organisations, their operations are not dependent on the bricks and mortar of the office but making sure that there is availability and flow of information e.g. by moving infrastructure to the cloud and improving their digital workplace can help run the business remotely.
What critical information can your business not function without? I think a lot of companies, from a crisis management perspective, never really answer that question unfortunately.
Given their high positions with organisations, C-level executives will likely come under scrutiny for their external response. This is important in the fast-paced world of social media, in which hackers will socialise the attack before they do. For example, with the 2017 Equifax breach, their communications were delayed (breach discovered on July 29th but wasn’t publicly announced until September 7th), often confused at times (some information about the severity of the attack muddling previous versions), and their apology lacked customer empathy (more corporate than sincere). Here, you can see how imperative it is to have a robust crisis communications strategy as the way senior management respond and react publicly will be scrutinised to the nth degree; it should be transparent, consistent and accurate.
Although there are many different crisis management strategies out there, the key takeaway for top management is that rigorous preparation, testing and refinement of your cyber crisis management capability will go a long way when the time comes to use it for real.