The Ultimate Contingency: Cyber Crisis Management
For a business owner, not exercising keen crisis management would be the equivalent of driving without insurance. If you crash without a contingency to cover damages, not only didn't you arrive on time to your destination, you're liable for any damages you might have caused to others.
Similarly, if a poorly debugged web app crashes, because there's a bug in the code that denies service, or leaks sensitive data, then all you have left is liability and excuses.
In the unfortunate event your company experiences a “DEFCON 1” level crisis, what are you going to tell your employees?
Moreover, what are you going to tell your customers? Whether it’s a data breach or a major power outage, having the right tools in your toolbelt could determine whether your company will endure the test of time in a world full of unknown variables.
This article will help you understand what IT crisis management is and how it can help you protect your business.
What is a Crisis?
A crisis can be defined as a sudden event that has caused significant disruption to an organization’s operations. It's not the same as an incident, though it can initially appear as such, but can snowball into a crisis.
As our world continues to evolve, inalienably joined to cyberspace, complications can and will arise from the equipment we use to the services we depend on.
These kinds of problems are often larger issues that arise after a less significant incident has been reported. Unlike an incident, a crisis needs immediate and methodical attention because it has the potential to put a company’s reputation at risk and have notable financial implications.
Some common examples of IT security crises are data breaches, ransomware attacks, distributed denial of service attacks (DDoS), or insider threats. Don't forget those.
If a critical web application crashes because it wasn't thoroughly debugged, that's an incident. If service isn't restored quickly, it can escalate into a cybersecurity crisis.
Top Priorities During a Crisis
Here are some of the top things companies should adhere to as priorities during a cyber security crisis.
Preparation. Companies often do not have a plan in place and they are not aware of the potential consequences of a cyber attack. From my own personal experience as a former black hat hacker, every company I broke into did not have a contingency in the event of a cyber crisis.
In the digital age, crisis management has become essential for any company. With social media and instant news coverage, it is more important than ever that a company is prepared for anything.
There are many ways to prepare for the potential event, but one of the most effective ways is through simulations. These simulations can include a disaster scenario or a public relations crisis and provide employees with hands-on experience in how to respond to these types of events.
It would be ideal to develop an additional playbook for cyber crises to store with your incident management plan.
Communication. Having an emergency communications plan that includes detailed instructions on what to do during a PR catastrophe or exigency is a wise idea. It would be beneficial to include a chart indicating the order in which the members of your response team, stakeholders, and customers should be contacted.
It is important to maintain an open and clear line of communication to keep everyone involved informed to avoid confusion about the emergency. From a public relations and legal standpoint, it is vital to not divulge specifics nor speculative outcomes while making your current actions and commitment to enhance security measures a focal point until your investigation and remediation have concluded.
Failure to act quickly. Companies that wait too long before following a procedure during a crisis can risk cracking the proverbial ballast and flipping the ship upside down.
For example, in 2008 my website came under a cyberattack. The database was breached, and I had a major crisis on my hands. Everyone on call designated as responders for a cyber crisis in our phonebook wasn't available.
This was a critically time-sensitive matter. I pulled myself from a family Thanksgiving party to take the site offline, change all the passwords and contact our hosting provider to report the attack.
Failing to act quickly during a crisis can have a huge impact on your company. Every account holder on my website was now a target to further intrusions, and it was up to me to race against the clock to ensure that didn't happen.
A vital risk when you fail to act quickly is legal liability. If someone is harmed because of the issue, then there is potential for lawsuits or other legal action against the company responsible for it; resulting in fines or even prison time in some cases if the damage was severe enough. It can also lead to damage to your reputation, lost customers, and more.
How can cybersecurity crisis management be used to protect your business?
There are a lot of different ways you can use crisis management to protect your business and you will have to use some aspect of it in order to address problems that will arise.
The system that you develop must include measures to prevent or make threats and attacks less severe in the future. It also must encompass steps that need to be taken to recover.
There are two types of cybersecurity crisis management plans: reactive and proactive. One example of how you can use a reactive plan of action is when your website gets hacked.
Ensure that all the components that make up your network security layer are actually running and operating properly. It is the priority of cybercriminals to ensure these are disabled.
Additionally, it is imperative to include steps to follow in the event of a cyber-attack or cyber crisis while monitoring it. On the other hand, a proactive plan is used when you know there will be an emergency coming up soon, such as during hurricane season. The word that comes to mind is planning contingencies to ensure you never lose a beat. Because if you don't, I can assure you with reasonable certainty you will wish you did. Technology, as it were, is like a house of cards.
An article by Jesse McGraw
Edited by Anne Caminer