When a cyber security incident happens, more often than not people in the organisation will turn to the IT department to fix it.
Without a doubt the IT department has a part to play and yes, its typically seen as their responsibility to either conduct the initial triage or to resolve the technical issue in its entirety. However, they are by no means the only players required to handle the crisis and organisations often overlook or completely underplay who else needs to be involved, failing to communicate to the rest of the organisation the part they need to play.
Cyber security incidents can come in many forms; they could be triggered by something as simple as a Twitter account being hacked, or it could be a denial of service (DDOS) attack on the ecommerce site. It could also be a major breach of data and financial records. Irrespective of the type it will not be the sole responsibility of the IT department to fix; different attacks mean different responses from several key members of personnel or departments.
Organisations therefore need to look beyond incident management and consider building a crisis management capability. The strategies and procedures that an organisation adheres to prior to, during and after a cyber security crisis and consists of several key phases:
Defining cyber security levels: Define the "state of readiness"; when do you trigger actions to be taken? As you move to more severe levels what does that mean and what do you do during normal operations? Have you got cyber security playbooks in place?
Identify a Crisis Management Team (CMT): Individuals who respond, coordinate and react as a team in a crisis. Typically consists of Executives, Senior Management and individual employees who have specialist knowledge, such as IT administrators or media relations representatives. They act as the core team during the crisis and direct operations.
Have a Crisis Management Plan (CMP): A CMP anticipates crises; that's its sole purpose. If you are proactive and prepared, then you will have a "fighting chance" of how to react when things go wrong.
Train: Consider simulations, media relations and journalist response training with regards to how staff are expected to deal with a crisis.
Have a Crisis Communications Plan (CCP):
- Fact gathering - what should be communicated, what response is needed?
- Key messages - what is going to be included in all communications?
- Assign spokespeople - Some senior personnel, as well as someone charged primarily with communications responsibilities
- Update electronic media - Blogs, websites, twitter, Facebook, etc; how these are done, how regularly and by whom?
- Law Enforcement - Do they need to be involved? If so, what is the communications channels and what reporting needs to be adhered to?
- Phone calls - How to handle phone calls from customers and the press, develop scripts for the staff
- Media Relations - Spokespeople; who and how they communications and the relationships that will be required to be forged
- Approval - Who approves information prior to releasing? How is this done?
- Media Monitoring - what and how is it monitored? Online coverage?
This is by no means an exhaustive list. There are a multitude of other factors to consider, but it is designed to get you to think. These are areas that highlight the several critical elements of any crisis management programme. By having a Crisis Management Plan in place, organisations are better prepared to identify potential attack scenarios, enabling you to better handle a security incident irrespective of type and scale. An effective CMP will also take into account any required legislation or regulations, ensuring your organisation remains compliant.
If you'd like to find out more about crisis management and incident response, or to speak to an expert, click here.