How to succeed in cyber crisis management and avoid a Tower of Babel
Although cyberattacks have become more common, handling them remains extremely challenging for organizations. Even if things go well on the technical level, incident response (IR) is still a stressful and hectic process across the company; this is the reality of cyber crisis management.
For cyber professionals, the aftermath of handling an attack can often feel like winning the battle but losing the war. I have seen this feeling unfold numerous times during the past six years as I have handled more than 400 cyber incidents of all kinds, including attacks carried out by criminal and state-backed groups.
For example, I recently managed a cyber incident in a large company where, on a technical level, the handling of the incident was excellent but the cooperation with the management was complex and frustrating, a real Tower of Babel. The tech teams did not speak a language that the business side, including senior members of the organization’s management, could understand. The management could not work at a pace and with the flexibility required for the rapidly changing cyber world. And mistakes in the management’s decision-making on legal issues, business and information system continuity, and on what was communicated to personnel and the public ultimately had an effect on the technical activity to remedy the incident and the perception of how it was handled.
Obviously, every organization must have a systematic plan for evaluating, identifying, and dealing technically with a cyber incident. But every company must also prepare for IR at the organizational level. To do that, there should be an orderly and continuous process of cyber crisis management readiness.
Step 1: Determining organizational assumptions and defining roles
Organizations need to develop a working assumption of the main threat factors, targets, and practical ramifications of a cyberattack. The organization should also identify the main scenarios they may need to deal with, including a situation that results in shutting down the main business activities and a situation in which sensitive information is leaked or stolen. These should be made based on the nature of the organization, the sector in which it operates, its geographic location and history of cyber events. These scenarios should be updated constantly as the business and the threats change and grow. Publicly listed companies should also be aware of the risks to image and finances that could come with attacks as regulations increasingly require reporting of cyber incidents.
In addition, each organization needs to determine its guiding principles, by answering key questions like whether it would negotiate with attackers and whether they would ever consider paying a ransom. It also needs to decide who will mitigate an attack – an internal team or an hired third party. Finally, the company should determine who among its management is the risk owner for each step of dealing with an attack. Companies can use the RACI Matrix for this, which helps determine who is Responsible, Accountable, Consulted and Informed at each stage of a cyber crisis.
Step 2: Building an integrated action plan across all departments
Each department needs to build a plan for dealing with cyber crisis scenarios. For example, the legal department will understand in advance any regulatory requirements, including what information needs to be shared with investors, customers or the public. The external relations department will prepare in advance the framework for bulletins or announcements related to a cyberattack, as well as a potential distribution list.
The management of the company needs to make sure each department knows its role, has a plan, and that the plans are synchronized and coordinated across departments.
Step 3: Building an IR plan
Organizations need to determine which infrastructure will be used during the mitigation of a cyberattack, including which information technology infrastructure will be used to manage the attack, and have contingency plans for situations in which the corporate networks and IT systems are not functioning. When possible, the plan should also consider how to ensure business continuity during the mitigation process.
This part of the plan also involves appointing which individuals will manage the mitigation process and setting up a rotation of shifts around the clock, so that someone from the organization will always be on duty in the event of an ongoing cyber emergency.
Step 4: Practicing the plan at the departmental and organizational level
Building a plan is not enough, it should be practiced through drills and rehearsals both inside departments and at the overall organizational level. This allows companies to recognize any gaps in the plan and to remedy them effectively.
Holding a drill is also an effective way to involve all managers and employees. This helps make them more aware of the role and importance of cybersecurity, and how it is not just a technical issue but an existential concern that involves all parts of an organization.
These days, no one can completely avoid an attack, and believing so would be naïve. But the next best thing to stopping an attack is mitigating it.
It is possible to assess the main results of different types of attacks, and each department has the responsibility to develop cyber crisis management plans. This will allow them to manage the crisis, rather than be managed by it. The involved parties will be able to communicate and avoid a “Tower of Babel” situation. Ultimately, this will reduce mistakes and damage to the organization, shorten the duration of crisis response, and result in less frustration for the many stakeholders inside and outside of the organization.