Recently I posted the following statement on LinkedIn:
For years, companies have treated cybersecurity as a risk that IT could solve alone. Beyond IT, companies need to add the crisis management component to define their response. Understand key decisions, communications and reputation management requirements. #CyberSecurity #CrisisManagement
I am a senior crisis management and business continuity consultant. I talk to a lot of clients, and I have spoken at several webinars, and ‘in-person’ events in recent weeks. Regardless of the setting, I talk about cyber A LOT, and I have this conversation more often than you would think. Too many people still think of cyber as an IT issue and ignore (or at least downplay) the critical aspect of effective response: Crisis Management.
Over the summer I was golfing with the president of a company that I hoped would become a client. During the game, he was dealing with an inaccurate news story that was being reported about his company. The company is extremely well known regionally and has over 7,000 employees. After he took several phone calls between the 4th and 5th holes (which I bogeyed by the way), I suggested that he should get his Communications team to issue a statement to correct the story. He told me, “I am the communications department.” Around the 7th hole, I brought up cyber and asked if they were prepared for an attack. “We’ve already been attacked; we deal with it all the time.” I told him that I know that companies are always under attack, but I wondered if he felt ready to respond to a successful attack. His response told me all I needed to know. “Oh, I don’t know, I’ll put you in touch with our head of IT and she’ll let you know”. (There is SO MUCH troubling me at this point. I can’t get my head around his lack of a strategic, crisis management approach to doing business. It’s unthinkable to me that a company of that size doesn’t have a communications department. And clearly, he still believes that cyber issues reside solely with IT).
When it comes to cyber response, I don’t want to suggest that IT doesn’t have a primary seat that the table. IT is critical. The work they do in cyber prevention and detection is essential. Your company wouldn’t survive without it. Your cyber team is the subject matter experts when responding to a cyberattack. The technology focused aspect of cyber response cannot be under emphasized. But what I’m suggesting is, there’s so much more to it than technology. While IT is working to mitigate the impact to the network, the Crisis Management Team should be working to mitigate the impact to the company’s reputation and operation.
Simply put, you need a cyber response plan that leverages your existing Crisis Management Team and lays out a clear strategy for responding to a cyberattack. A recent study shows that companies that utilize a well-rehearsed response plan can save as much as 54% during a cyberattack. In fact, Northbridge Insurance issued a statement recently that says:
“When it comes to a data breach, time is money – quick, well-organized responses often end up costing less. So, if you invest in a sound data breach response plan now, you may find that it pays for itself several times over in the years ahead.”
The Cyber Response
The key here is to have a plan that lays out specific roles and responsibilities. The good news is, you don’t have to start from scratch. In fact, it would be a mistake if you did start from scratch. Leverage your existing Crisis Management Team and build on the roles and responsibilities you have defined there, while expanding the team to include much-needed resources. Your Crisis Management Team will expand to include:
- Cybersecurity Lead. This person will become the Subject Matter Expert related to the attack and will liaise between the technical team and the Crisis Management Team. The Cyber Lead will report the details of the incident and any ransom demands to the Crisis Management Team and provide insight regarding the level of exposure of data and the systems affected by the
- Insurance Lead. I recommend adding a seat at the table for the person who is most familiar with your cyber insurance policy. Engage the Insurance Lead early so that you can follow the insurer’s protocol for notification. In a perfect setting, the Insurance Lead is a member of your Legal team, so that engagement of the insurance company can be done under privilege. Speak to your Legal department to understand how privilege can be protected during your cyber response. The Insurance Lead is responsible for interfacing with your cyber insurance provider, including notifying them of the incident, filing a claim and engaging the insurer’s response team. It’s important that they understand the details of the insurance policy including scope, limitations, restrictions and requirements for notification.
- Business Lead. Engage the department head(s) from the business units affected by the attack. They will be able to relay important information about the impact that the attack is having on the business. Urge them to invoke their Business Continuity Plan and execute whatever work around strategies are in place for downed technology. Having the Business Lead at the table will help the Crisis Management Team understand the urgency of recovery, which is good information to consider when deciding about paying ransom.
Often, when we think of crisis management, we picture a group of business leaders sequestered in a back room, planning their next move. But in a cyber response, you’re going to bring in some external resources as well. External resources include:
- Your Insurer. In many cases the insurance company will provide a representative to join you at the crisis management table. This may be in the form of a breach coach who will help you navigate through the response phase. Often a breach coach is helpful as they will bring a great deal of experience to the table. This is especially helpful if your crisis management team lacks the experience of a real-world crisis, or if you are a smaller organization with limited resources.
- Approved Third Parties. Often, insurers will arrange for you to utilize services from valuable third parties. This can range from law firms who specialize in cyberattacks and privacy breaches, public relations firms who can assist with notification letters and public statements, communications firms who can help you set up a specialized call center or forensic experts who can assist with the technical analysis of the attack. These resources are often covered by the insurance policy and can provide excellent support at time of crisis.
Related: Addressing Your Information Security’s Weakest Link
My approach is to define specific responsibilities for each role identified above, along with your traditional crisis management roles like Communications, Legal, HR, Technology etc. Include cyber-specific responsibilities and tasks for your Crisis Lead and make sure they are fully prepared to facilitate a response.
When it comes to developing a Cyber Response Plan, there are a couple of ways to go about it. For example, you can write the plan yourself. Advantages include lower cost and a more thorough awareness of your company’s culture and approach. Another choice is to outsource the project to a consultant like myself. Advantages to this include experience with cyber plan development and insights into legal, communications, privacy and insurance strategies. If you go external, find a consultant with a collaborative approach, who isn’t trying to ‘hit a homerun’ financially on every project. The collaboration with an internal resource will provide better awareness into how your organization responds to a crisis.
Alternatively, I provide a half-day workshop that lays out all the details and steps required for you to write your own response plan. This is considerably less expensive than hiring an external resource to write the plan.
Finally, whatever you do, however you end up writing the plan, you’re doing yourself a disservice if you don’t exercise the plan. Remember Northbridge’s quote that I shared with you earlier. They don’t just call for a plan, they call for a “well-organized” plan. And the best way to become well-organized is to practice, rehearse, exercise.
Cyber Response. It’s not just an IT issue. Engage your crisis management team now, before it’s too late.
Related: Ransomware to dominate cybercrime in 2020
Mark Hoffman, MBCI, CBCP
- Senior crisis management and business continuity consultant with cybersecurity response and crisis communications experience in a leadership role, spanning twenty years.
- Proven track record across multiple sectors including Financial, Insurance, Utilities, Consulting and Municipal Government.
- Quick to build relationships and achieve results working collaboratively with business leaders and executives.
- Extensive experience in the development and execution of tabletop and operational exercises with a focus on measurable results that lead to overall improvement of plans and programs.
Senior crisis management and business continuity consultant with cybersecurity response and crisis communications experience in a leadership role, spanning twenty years.
Proven track record in developing and implementing crisis management, business continuity and cybersecurity response protocols, and establishing mature business continuity programs and effective governance models.
Quick to build relationships and achieve results working collaboratively with business leaders and executives.
Extensive experience in the development and execution of tabletop and operational exercises with a focus on measurable results that lead to overall improvement of plans and programs.
Feel free to contact Mark to see how he can help your organization be well prepared: [email protected] or on Twitter @mhoffman_cbcp