By Jo De Vliegher, Client Partner at ISTARI
An organisation’s approach and experience with a crisis can vary. Some face chaos and disorder, while others have instilled a system of calmness and can overcome challenges.
Some organisations operate under the false pretence that they can deal with cyber-attacks without prior preparation; this sets them up for failure.
Having learned from previous cyberattacks, here are some of the ways companies can best prepare for a cyber crisis by developing cyber resiliency.
Understanding a crisis
Preparing for a crisis can be the difference between later surviving an attack or facing dire consequences. But organisations require quite a bit of prep work to be able to activate crisis mode and run critical operations adequately.
Based on my past experiences, I find that the first step to complete preparedness is understanding what a crisis would mean for an organisation. People underestimate the crisis element spectacularly. In most cyber crises, an active adversary purposefully tries to cause harm during a period of time rather than a single hit. This typically cripples a company much broader than a general crisis, as a cyberattack can hit all departments globally within seconds or minutes. Misunderstanding the potential scope of a crisis is one of the biggest inhibitors to proper resilience or preparedness.
Common issues involved in preparing for cyber attacks
- Businesses often perceive cyber attacks as one-time incidents that their teams can and will fix should one arise, but things are rarely that simple. Don’t view them as a static event but rather as a dynamic period during which organisations can do much right or wrong.
- Another myth many businesses believe is that they can pay the ransom and get back to business when facing a ransomware attack. In reality, ransomware attacks impact companies differently, causing reputational issues, operational problems or financial damage. All of these impacts can be severe, so treat them with caution. Understand the most perilous risks, and beyond planning how to mitigate any disruption, align leadership on the company’s fundamental policy: to pay or not to pay? Also, companies should be aware that paying a ransom doesn’t remove the attacker’s access to the systems, creating a risk of continued extortion.
- Many leadership teams mistake a cyber crisis plan for a business continuity plan. These are two distinctive things. Yes, a continuity plan is essential to have in place as it can help to restore systems. However, a cyber crisis plan needs to take in other factors as well, such as data theft or the intent of criminal gangs to cause more damage for extortion purposes. Unfortunately, many teams focus solely on getting the business back online and do not pay enough thought to these other considerations.
Developing your crisis response plan
The first few hours and days into a crisis are the most important. Having immediate incident response support can allow the business to continue communicating with consumers and keep business operations running. However, it is practically impossible to have the same people who fix your systems also spearhead the critical operations while the attack is ongoing. And what’s more, it is also essential to start thinking about long-term plans such as rebuilding and recovering for the future safely.
Before an attack occurs, pre-planning for each of these stages is critical to ensuring that organisations can emerge from an attack in a position of strength. Cybersecurity professionals and business heads should convene and discuss the impact a cyberattack can have on the business and which parts are most critical. Executive management must also consider cyber crisis preparedness a high priority.
How do you know when your organisation is prepared?
The first step in testing your organisation’s preparedness is identifying the company’s crown jewels in the context of survival. These are the assets, business processes and reputational risks that most impact the business’s ongoing viability, as opposed to the assets that are long-term business success factors. For example, payroll may not be a competitive advantage, but it sure is a critical process to control in a crisis period. Once identified, your scenario planning needs to account for how different attack situations can affect the crown jewels. From here, create a cyber crisis playbook outlining possible critical decisions that leaders might face. Thinking through these ahead of time may prevent others later being made on the fly.
The next step is to ensure crisis roles are allocated to the right people, both internally and externally. And then, test it all. Run war games and fire drills against the cyber crisis plan to demonstrate that the playbooks are detailed and plausible; and meanwhile, you’ll continuously find areas of improvement.
Why it’s worth it in the end
Building out an effective crisis preparedness plan is about reducing the risks and consequences of an attack and knowing how to keep or get the business running again. Companies that test their cyber resilience and mitigation plans will have an advantage over those that are not prepared, as they can more likely prevent a crisis from causing any serious harm. And given that cyber preparedness can be the catalyst to build general resilience and preparedness, prepared organisations will emerge generally stronger than when they began.