How to react during a cyber-crisis

Arnaud Lautier at Orange Cyberdefense explains the importance of preparation and practice when defending against cyber-attacks

 

Whether your data centre is on fire or cyber-criminals are exfiltrating data, the crises hitting your business will vary. Crises are measured by their impact, not their nature, meaning the crisis management process is always the same, no matter the cause: prepare, detect, and recover. 

 

However, it’s more likely than ever that businesses will face a cyber-crisis. Over the last 12 months, there has been a 77% increase in the number of cyber-extortion victims, alarming the industry to seek more effective ways of managing cyber-security crises. 

 

While not every cyber-event is a crisis, businesses must act accordingly when they do occur. A crisis is something exceptional that can’t be resolved by usual processes and within the normal functioning of the organisation. This means that employees involved in managing a crisis are required to step outside of their usual roles and responsibilities.

 

The word ‘crisis’ is often used colloquially for a range of cyber-events, but qualifying them correctly according to pre-established criteria will ensure businesses can take the necessary steps when required and minimise the crisis’ impact. 

 

So, what makes a cyber-crisis? Usually, it involves a lack of visible impact on the information system (e.g., in the case of data exfiltration, as the company might not know the data has been taken until it’s exploited), an event that transverses the entire company, and one that is dynamic in response to containment measures (e.g., a cyber-criminal that changes their attack posture to avoid defeat). 

 

Effective handling of a cyber-crisis comes down to properly managing the incident before, during and after it happens. Steps to take before involve building a crisis management organisation and raising cyber-risk awareness through training clinics with tailored scenarios and effective communication.

 

As the saying goes, fail to prepare, prepare to fail. But what should you do when the worst does happen? 

 

Taking the first step 

Taking the first step is always the hardest, and this is especially true in the event of a cyber-crisis. The struggle is that there is no standard action as every crisis and every company is different. However, if businesses have spent enough time on the preparation stage of the process, they should be able to kick their plan into action as soon as the crisis is discovered, with those involved adopting their reactive roles to tackle it. After detecting the crisis, this stage – and the speed at which it’s done – is critical. 

 

This team must then quickly decide what they want to save first, often at the expense of other data, which is why planning and trialling crisis management exercises are so important. To cause maximum damage, it’s not uncommon for cyber-criminals to conduct attacks when senior decision-makers and technical teams aren’t present in the hopes of disrupting this process.

 

So, identifying the right people and having contingency plans in place if they’re not available – or not contactable, as cyber-crises frequently disrupt internal communications systems – can be the make or break. 

 

What not to do 

It’s impossible to predict every eventuality, but the worst reaction to a cyber-crisis comes when a company isn’t prepared. By the time you’ve been hit by a crisis it’s too late to start thinking about what to do, so take this as a warning to plan and practice your response as suffering an attack is almost inevitable, even if you have all the right protections in place. 

 

Following this, the second worst reaction is not following the plan that has meticulously been prepped and practised. Implementing it in the moment is very different to a tabletop exercise but I advise you to remember what you’ve rehearsed, and not to confuse speed with haste. Making decisions in a hurry and skipping over parts of the plan will mean all the preparation is wasted and mistakes will be made. 

 

Another serious mistake is siloing the reaction process within the IT sphere. Just as a crisis is likely to impact an entire cross-section of the company, technical and functional stakeholders from across the business should be mobilised to minimise the effects of an attack. This includes those in HR and communications to ensure that both internal and external stakeholders are kept abreast of the crisis as it unfolds to ease concerns as much as possible.

 

It is important to remember that while a cyber-crisis is a business-critical issue, it will also be a very emotive time for those directly involved, as well as those on the periphery who may be worried about their work or data.

 

Those tasked with managing and tackling the crisis will be working flat out, and it’s not uncommon for them to forget to eat or sleep. If your front-line staff aren’t properly fuelled or are emotionally and physically exhausted, bad decisions will ensue. A vital part of your crisis response must be taking care of the team.  

 

Keeping the wheels in motion

When the initial steps have been taken to control and contain the crisis, the team should then turn to continuity planning. What needs to happen to ensure that the company can continue to operate, even if it’s at a reduced level of activity? Plans to move employees to another location, give them new computers and transfer uncompromised data to new machines should be enacted.

 

Cyber-crises will be costly, so doing all you can to carry on business as usual can be the difference between surviving an attack or going under. 

 

By the time you’re struck by a cyber-crisis, all you can do is put your plans into motion. This is why it’s so important to prepare and practise your response to different types of cyber-crises and ensure your crisis response unit is a well-oiled machine.

 

When in doubt – before, during or after a crisis – reach out to your network, as there will always be CISOs or other industry professionals who have experienced the same situation and can provide first-hand advice about what worked and what didn’t. 

 

The cyber-crime wave is growing, and we can only fight it by working together and spending as much time preparing to respond to an attack as cyber-criminals spend preparing to conduct them. 

 

---

 

Arnaud Lautier is Cybersecurity, Crisis Management & Business Continuity Lead Consultant at Orange Cyberdefense

 

Main image courtesy of iStockPhoto and Ekaterina79