Cyberattacks have significant implications beyond IT crises, impacting services, reputation, mergers and acquisitions, financial markets, brand value, compliance, and more. When your most critical systems collapse, you need to be able to manage this disruptive and unforeseen event. Unfortunately, you won’t have much time available for your decision-making, and each decision will impact the severity of the crisis. Moreover, you won’t be alone in making those decisions. Effective cyber-crisis management requires collaboration among various teams, including IT, communication, legal, and relevant professionals.
A crisis usually occurs when a successful strategic exploitation of vulnerabilities disrupts a company’s operations. These vulnerabilities can be in your software, networks, or human behavior (e.g., clicking on a phishing link). Through these vulnerabilities, they get access to your system/network. Inside your environment, they can then embark on a process of lateral movement, thoroughly exploring your system to gain more insights into your business-critical and sensitive data.
Once they clearly understand what valuable assets to target, they disrupt your systems and use encryption to ensure your data becomes inaccessible. This will, of course, create a sense of urgency and panic. The ideal time for criminals to demand a ransom in return for your data or a promise not to make your data public.
Understanding vulnerabilities is crucial for crisis preparation. Conducting technical and organizational audits helps identify potential risks and prioritize critical protective measures based on people, processes, and tools. Some examples of these measures are awareness training, business continuity planning including essential updates and backups, and, last but not least, a crisis management plan and exercises. Crisis management must focus on rapid response, implementing emergency measures, and safeguarding critical assets.
Crisis preparation also addresses the psychological and organizational impact, ensuring employees can make informed decisions under pressure. Conducting those simulations is very important to prepare your crisis team. Crisis management exercises simulate cyber-attacks and can vary in duration and complexity. Scenarios should be realistic and relevant to engage all stakeholders, highlighting the most probable threats with significant impacts. Ensure all those stakeholders are ready, from technical first responders to functional teams and strategic decision makers. The exercises test their knowledge, develop automatism, and enhance communication skills via different platforms (as the usual ones might be unavailable and unsafe in the event of a crisis).
Post-exercise analysis facilitates learning from mistakes, generating recommendations, and an action plan for continuous improvement. In addition, regular updates to crisis management policies, training sessions, and annual exercises ensure ongoing preparedness.
At one time, someone will come to you to say something is not right. This may be the authorities, the CISO, your SOC (external) team, a customer, or worse: the attacker. The first thing you need to do is qualify whether this is true or not. It might be an incident that you can manage relatively easily, or it can be a crisis. If it is a crisis, it will have a huge impact, and you will need to mobilize the proper crisis unit. It can be your operational or decisional crisis unit or both. They must make the right decision at the right time, often advised by (external) security experts such as a CSIRT (Cyber Security Incident Response Team).
It is important that before starting the process of mitigation, the business decides upon the top (5) actions to take. This will prevent your CSIRT from constantly shifting its focus, which could lead to improper use of assets and loss of overview and time during the incident.
Furthermore, it is crucial to inform all involved parties (authorities, employees, clients...) as soon and as clearly as possible. Ensure you know whether your company has to comply with the NIS2 direction. This could mean that you are bound to strict timings (within 72 hours). Monitoring your environment to ensure the crisis is truly over is crucial.
It is hard to say when a crisis is truly over. However, it can have a long-lasting effect. When the heat is over, you will need to restore and prepare for the next crisis. When you evaluate, you should assess the root cause of the crisis and how you handled it. The active directory domain and all applications will need to be restored and secured. Update the flows, documentation, and future crisis exercises to set up a continuous improvement plan, including lessons learned, a security roadmap, awareness training, etc.
A company’s ability to respond to and contain the negative impacts (on its businesses, activities, personnel, image, and reputation) of a crisis depends on its level of preparation and training. Here, in short, is the procedure to follow to best prepare for a cyber crisis: