A new approach to Cyber Crisis Management

Author: Luke Fletcher, Senior Crisis Consultant at Secura

As a Senior Crisis Consultant in the cybersecurity industry, I see a shift in how organizations prepare themselves for a potential cyber crisis. Traditional risk assessment methods are no longer sufficient. They often result in measures only being taken for the most likely incidents.

However, it is usually events considered unlikely that cause the greatest impact, for which organizations are not prepared. Regulators recognize this, so here is my wake up call: prepare for the WORST…

I see two big challenges organizations face:

1. Determining what the worst case scenario could be and to what extent you should prepare.
2. Linking the technical, operational and tactical response to strategic crisis management.

Let’s look at how you can start to tackle these challenges.

1. Preparing for the Severe but Plausible

A recent study published by the European Union Agency for Cybersecurity (ENISA) states the EU is ‘an era of permacrisis and polycrisis’.

What does this mean? Permacrisis is defined as a long period of great difficulty, confusion, or suffering that seems to have no end. Polycrisis is defined as the simultaneous occurrence of several catastrophic events.

A rather stark picture unfortunately. This means the challenge for many organizations is to determine what a worst case scenario crisis looks like for them and what resources to invest in preparing for this. Particularly as regulators across Europe, with NIS2, DORA and other regulation in mind, expect resilience even for the most ‘severe but plausible’ events.

‘That will never happen’

As the expectation is that your organization remains resilient, even against worst case scenarios, former risk based approaches are no longer effective. In my experience as a crisis manager, I find that many organizations find this a difficult concept to accept.

I can recall a few examples in my career where I have proposed a high severity scenario as an idea for a crisis exercise, only to have this shot down by the statement ‘that will never happen’.

Yet, in a few standout examples, and coincidentally, almost the exact scenario proposed materialized in a similar fashion not long later. I imagine in 2016 before the Not-Petya attack on Maersk, that their risk assessments would have dubbed the scenario that unfolded in June 2017 highly unlikely, limiting the desire for resilience investment.

The key to solving this challenge

So, what should you do instead? The key to solving this challenge is to first ensure you have a crisis framework that is adaptable enough to deal with any kind of crisis. Fortunately, a team of experts in the crisis management field recently created a new International Standard on Crisis Management to help organizations with this. The standard is ISO22361 and provides details on how to implement a crisis framework, principles and processes as per the diagram below.

Review case studies

Another key way to prepare your organization for a full-blown cyber crisis is to review case studies on how cyber attacks have impacted other organizations. Learn the lessons they have learned and then consider how those scenarios could have been worse.

Exercise these scenarios to see how your organization would respond. What if a power outage hadn’t occurred in Ghana at the same time as the Not Petya attack on Maersk (that preserved a clean copy of their domain controller data). What if a second ransomware attack hits you shortly after the first?

2. Operational, Tactical and Strategic Teams should prepare together

The second big problem that I see many organizations struggle with is the cooperation between Operational, Tactical and Strategic teams. A cyber crisis like a ransomware attack requires a coordinated response from across the organization.

This is a challenge, because organizations are not responding regularly to cyber crisis events (thankfully!). This means that technical and strategic teams rarely interact in such scenarios. Even when performing crisis exercises, these teams usually exercise independently and rarely simultaneously.

In practice, I often see that even if they do exercise at the same time, technical teams sometimes find it difficult to relay information in a concise, non-technical way for strategic teams to understand and base their decisions on.

Making sure that your response processes at operational level align with tactical and strategic responses is key for effective coordination. To make this possible, it is important to exercise these processes across all layers of the organization simultaneously. That is the only way to determine their effectiveness, and it requires practice.

Conclusion

In my job as Senior Cyber Crisis Consultant, I see that many organizations still underestimate the preparation required to ensure an effective response to cyber crises. I believe all organizations should prepare more consciously and thoroughly for severe cyber incidents that ‘will never happen’. You should prepare for those incidents in exercises with Operational, Tactical and Strategic teams together.

Cyber crisis management is no longer just a checkmark on your compliance list, but a condition to survive.

The cybersecurity world is changing. Subscribe to our Cyber Vision Newsletter on LinkedIn to learn more about the changing nature of cybersecurity, and the future of cyber resilience.