2 December 2020
The crisis is exceptional. It cannot be resolved by the usual processes and within the normal functioning realm of an organization. Employees involved in managing a crisis must step outside their usual roles and responsibilities.
We note, however, that most companies use the word “crisis” to describe incidents that they could manage without disrupting their practices. The difference between a crisis and a security incident requires a certain maturity and/or good training. In particular, we write trigger matrices for some of our clients. These make it possible to qualify an incident according to pre-established criteria and to determine whether or not a crisis has occurred.
One of the specificities of a cyber crisis is its lack of visible impact on the information system (IS). In the case of data exfiltration, the IS functions normally but the impacts will only be perceived later when the data is exploited by the attacker. Among other specificities, we find the transversal nature to the whole company, but also dynamic through the capacity of a cybercriminal to react to the containment measures put in place, by modifying his attack posture in particular.
There is no real standard reaction because every situation and every company is different. That said, the first reflex is to protect what can be saved, and that means making tough choices. During a crisis, you have to react quickly, and sometimes you have to determine what will be protected first and what will be left out, even if only initially. The ability to best manage a crisis often lies in the ability to mobilize the right people in record time. It is indeed more relevant for a cybercriminal to launch his attack during a strategic period, for example, when the decision-making and technical teams are not present. This is why it is so important to identify the right people upstream to manage a crisis.
The less prepared a company is for a cyber-crisis, the more serious and difficult the impacts will be. Thus, the worst thing to do is to think that it only happens to others. Even for prepared companies, the worst reaction we’ve seen is to make decisions in a hurry, before all the elements are actually in place. During a crisis, we run out of time, it is inevitable, but speed should not be confused with haste: bad decisions increase the negative impacts of a crisis considerably. In the worst case, actions to contain the attack can cause more damage than the attack itself.
Finally, cyber-crises have the particularity of being cross-cutting: managing them solely through the IT prism is a real starting mistake. From the very beginning of the crisis, it is necessary to mobilize all the players, whether technical or functional. Once the attack scenario and the impacts on the company have been identified, only those directly concerned will remain.
It is advisable to organize shifts very early, but also simple things that can easily be forgotten, such as the delivery of meal trays or the setting up of sleeping rooms for the teams to rest. It is not uncommon for some employees not to eat or forget to sleep during a crisis: this affects their health, both morally and physically, and induces bad decisions. For employees who are not part of crisis management units, the best thing to do is to communicate: information should come from within the company than from the media. If the decision has been made not to talk during the crisis, we recommend capitalizing on feedback to raise awareness of good practices.
It is necessary to identify its essentials and preserve what can be so that the company can continue to run. Sometimes this means moving employees to another location and having them work from new computers. Other times, it means switching data from one compromised machine to another. In this case, you need to be certain that the cybercriminal doesn’t have access to it because it’s often the last line of defense. The continuity plan must be sufficiently robust and proven in the face of a cyber-attack.
In order not to be subjected to it, you have to pilot it. Calling on security consultants specialized in crisis management allows you to be supported. What is a distressing event for a company will be a working day like any other for an expert, who will have faced a multitude of situations. Without calling on professionals, talking to other CISOs can help: one of them may have experienced the same crisis. You have to build your network and rely on it, and above all, never stay alone in the face of a crisis.