COMMENTARY
Many organizations have gone to great lengths in preparing for a cyberattack, leveraging both services and solutions to limit risk and exposure. Despite these efforts, breaches persist, ransomware payouts have grown, and leaders continue to make mistakes during cyber crises that impact organizations and customers both short and long term.
Most of these mistakes happen when the stakeholders do not know their roles, responsibilities, and what they are authorized to do in a crisis. This lack of clarity causes friction when leaders are required to make several highly impactful decisions during a cyber incident with little time and often limited verified information.
The biggest challenge facing crisis response teams is the fact there simply is never enough time to gather, verify, and analyze the necessary information to make the best possible decision. Under the pressure of a compressed timeline and increasingly concerned stakeholders, executives and board members tend to fixate on finding ways to shorten the time to remediation.
They should also prioritize reducing present and future risks for the company and ensure their teams do the same, but that often gets overlooked. As everyone within the organization turns to leadership for guidance and direction, it’s important for those in charge to understand who their greatest allies are during a crisis and how they can leverage them to minimize the business and reputational impact of a breach.
Open and Ongoing Communications
During the crisis, leadership must rely on its guiding principles to define their communication strategy and provide employees with a North Star that explains what they need to do forthwith. This starts with establishing a secure and classified crisis war room to collaborate and communicate under privilege, categorizing the event and defining what can and cannot be shared, and clearly defining roles and responsibilities for each stakeholder. This creates a leadership filter that determines who is authorized to make decisions and sets a timeline in motion for when information should be disseminated internally and externally, which systems need to be taken offline or brought back on, and if or when authorities and regulators should be contacted.Â
Organizations must maintain constant communication with each line of business throughout the crisis because it empowers employees to make the micro-decisions necessary to limit the ongoing business and reputational harm. There is no better example of this than former Maersk CEO Soren Skou, whose tip-of-the-spear leadership helped the company navigate the unprecedented 2017 NotPetya malware attack. Skou participated in all crisis calls and meetings, focused on internal and external communication, and instructed all frontline staff across the 130 countries Maersk operates in to “do what you think is right to serve the customer — don’t wait for the HQ, we’ll accept the cost.” In doing so, Maersk quickly mobilized to identify and remove the malware from its systems to restore operations, provided real-time feedback to its stakeholders about the situation, and resumed online books just eight days after the attack.
Built-in Alternatives
Each decision made during a crisis can set off a chain reaction that can compound damage. Business and security leaders often experience a rush of cortisol during the first few hours of a crisis that induces the “fog of war” feeling, clouding judgment and causing mistakes. It is important to understand during these moments that each choice has multiple options, leaders must ask the right information-gathering questions to support a full business response, and there is no perfect answer or solution.Â
Redundancy is a key strategy to save time during a crisis, and the most mature organizations have created a collaborative response plan based on the PACE model. For instance, if an organization suffers a ransomware attack and its communications platforms are potentially compromised, moving to an alternate platform quickly removes a significant amount of risk. Teams should be aligned on how much risk they are willing to take with each decision and create a coordinated understanding of their options. By working through the pros and cons associated with these choices, executives and board members can determine which decisions their organizations should make to get operations back up and running as quickly and efficiently as possible.
Driving a Culture of Preparedness
Organizations that have dedicated the necessary time to preparing their teams for a crisis have confidence in their employees to successfully execute the incident response plan and limit the amount of damage inflicted by a threat actor. Testing each level of these plans, especially the “small details,” is critical for successful execution of the organization’s strategy. It allows leadership to adapt their playbooks and runbooks to various situations and circumstances, and evolve their pre-crisis plans to account for emerging threats and their effects on the business.
Conducting tabletop exercises, creating and testing playbooks and runbooks, and putting employees through real-life simulations during war games fosters a well-coordinated response and puts teams in the best position for when (not if) a situation arises. These operations can reveal potential gaps and answer questions that include: How is the company communicating to its employees when the email platform is compromised? Who is managing that list of employees and their corresponding contact information? Where is that document stored and when was it last updated? The responses to these questions are a direct correlation to a company’s maturity and preparation.
When a corporation finds itself in the middle of a cyber crisis, the key stakeholders will shift their focus to the executive leadership team to determine how well they are responding. During these times, it is imperative for executives and board members to understand who their top allies are, and how to best leverage them to successfully navigate the situation and minimize the financial and reputational harm caused by the breach.