Cyber crisis management
Why do you need cyber crisis management?Click to read
If you manage a micro or small business, you probably don't have enough resources and people to prevent and fight cyber crimes. For medium enterprises, it is more realistic to delegate a few specialists to work on cyber security. However, even the smallest business should feel obliged to improve cyber crisis management procedures.
Cyber crisis management protocols consist of 3 stages: 1) prevention, 2) response to the crisis, and, finally, once the dust settles 3) recovery. In this module, you will deepen your knowledge regarding stages 2 and 3.
Thanks to this module, you will improve your cyber crisis management procedures with steps helping you to deal with the hacker's attack.
Identify the crisisClick to read
First of all, you need to know what may be classified as a cyber crisis.
|
For example:
• hacked devices
• screen mirroring of your devices
• copied emails
• stolen credit card data
• stolen client database
• crashed websites
• breached networks
• denials of service, etc.
|
|
|
All suspicious cyber events should start your cyber crisis protocol and launch stage 2 — response. Even if you are not 100 percent sure what happened, it is better to initiate an action.
Remember is not only about you and your business's current situation. You have to care also about:
|
your clients and business partners' safety
|
|
|
|
your business' profitability
|
|
|
|
your business' future reputation
|
Response to the cyber crisis
The role of timeClick to read
Your reaction to the cyber crisis has to be fast. Sometimes you have few seconds to do something, and the worse scenario is to start a panic. Keep in your mind that panic and fear may cost you the whole business you builded.
Why do you need a person(s) responsible for cyber crisis response?
|
|
Cyber crisis response is a plan that you implement in case of an attack. When someone hacks you, there is no time to think who will do what. Everyone needs to be prepared. That's why you need to have one or multiple people responsible for cyber crisis response.
What do you think: the person(s) responsible for cyber crisis response has to have an IT background or not?
|
Are you uncertain of whether the people responsible for cyber crisis response should have an IT background? Well, we can tell you that the IT background is not the most important factor. Why? In the beginning, let' take a look at cyber crisis response person's responsibilities.
Cyber crisis response person's responsibilities
|
|
to know the backup plan
|
|
|
|
to monitor all activities within crisis
|
|
|
|
to lead the internal strategy
|
|
|
|
to implement the cyber crisis communication protocol
|
If the person responsible for cyber crisis response has an IT background, he/ she may better understand all of the steps involved. However, without the leadership and management skills that are crucial here, an IT person can't implement the cyber crisis response.
If you have a micro-company, it is obvious you need to prepare yourself for that possibility. You can also sign an agreement with a cyber expert that you trust. Small or medium companies should appoint a leader for the cyber crisis response stage.
It is good to remember that the cyber crisis response may be implemented remotely.
The backup planClick to read
In MMSE, the backup plan may differ depending on the branch, type of business, etc.
However, you should consider the following steps:
Know your providers
Keep all of your providers (Internet, cloud, hosting, etc.) contact information in a secure, unplugged manner. Since the attack can be carried out from your local network, even if you are not connected to the Internet, your passwords and sensitive data may get stolen .
To do:
Consider all possible attacks before they happen. Keep all important contacts not only online, but also in the printed version.
Follow the traces
If you notice suspicious actions:
• on your bank account, call your bank and block all credit cards;
• in your business cloud, contact the provider (by phone or e-mail).
Pull out the plug!
Sometimes it is the only way to stop the cyber attack.
To do:
If you notice suspicious events on your or your employee's computer/other device, just pull out the plug.
Cyber crisis communication protocolClick to read
Thinking about the response to a cyber crisis, you should consider the crisis communication protocol. Here the most important is always time. Communicate as soon as possible with the key stakeholders and inform them about the problem. You should be the source of facts — not the newspapers or social media.
Show your stakeholders you care about them, and you have already taken adequate steps to minimize the cyber crisis consequences.
You have to be ready for this step before the attack, so prepare the key stakeholders list:
|
|
clients (especially if you have a client database)
|
|
|
|
your suppliers
|
|
|
|
|
|
|
|
|
|
business partners, sponsors, and investors |
|
|
|
neighbors / other businesses in the building (maybe the attacker hacked them too)
|
You also have to consider making a statement on your website/ social media site or in other media. Of course, you can delegate one of your employees to this task.
It is crucial to update your statement frequently. Your stakeholders and audience need to be sure that you take care of their data. Remember that the outcome of the cyberattack may be the future of your business.
How to speak about the cyber crisis?
|
|
|
Always speak clearly.
|
|
Give straight answers to the questions.
|
|
|
|
|
|
Use facts, not opinions. |
|
Do not accuse anyone or apologize until you get to know what happens.
|
|
|
|
|
|
Avoid emotional reactions.
|
|
|
Recovery after the cyber crisis
How to return to normal after the cyber crisis?Click to read
After the cyber crisis, each business needs to take some steps to return to normal functioning. That is how we reach the third stage of cyber crisis management called disaster recovery.
|
Recovery after the cyber crisis includes post-event steps like: |
|
assessments (of the damages, causes, and the management)
|
|
lessons learned
|
|
planned improvements
|
Do the assessment!Click to read
Recovery starts after the cyber crisis. To make sure that your business will be "healed" you need to take radical steps. First of all, you need to find gaps that may the attack possible.
|
|
Plan the assessment meetings with your team to discuss all damages made during the cyber attack. Find and understand the causes. If it is necessary, ask external experts for support.
|
|
|
|
|
|
Evaluate your cyber management plan. Discuss it step by step, all taken actions, to understand what went wrong. |
Lesson learnedClick to read
During or after the assessment, create a list of vulnerabilities that made the cyber attack easier. Do not take it personally. Do not think about it as a failure. More important is to learn from this attack.
If you are a leader/ business owner, your attitude has an impact on your employees and stakeholders. If you consider the attack as a failure or wrongly accuse one of your employees of being responsible for it, that may affect your business's future.
Just keep in mind, each move and action you take is influencing not only this moment and this cyber attack but also your future reputation and profitability.
Plan the improvementsClick to read
The last step is to analyze all gaps using facts and data. If you find out that the attacker hacked your business because one of your employees neglected his / her duty, it is better to avoid emotional reactions. There are multiple ways to act in this situation because each case is different.
For sure, you can make an effort to create short- and long-term goals to close gaps. Each gap is a verified indicator in the incident. Each goal assumes the prevention of similar attacks in the future.
The recovery after the cyber attack must eliminate or minimize the causes of said attack. If this does not happen, the lesson won't be learned.
Cyber crisis case studyClick to read
You may be hacked, no matter if you own a small or big enterprise. Owning a bigger company doesn't make you safer or better prepared for the crisis. At least not always. Just take a look at the case studies below.
Marriott International:
The cyber attack
The well-known hotels' chain, Marriott International, was hacked in January 2020, but the attack went unnoticed by the company until late February. Hackers who obtained the login credentials of two Marriott employees might gain access to the guest's details. The company started its own investigation.
Response
Marriott made a statement that hackers might acquire personal details such as names, birthdates, telephone numbers, language preferences, and loyalty account numbers. Also, the hotel sent emails to the guests involved; created a dedicated website and call center to inform guests. Marriott assured that they carry insurance, including cyber insurance. Till now everything looks professional, however, giving the statement the company didn't believe that its total costs related to this incident would be significant.
Recovery
In October 2020, the UK's data privacy watchdog fined the Marriott Hotels chain £18.4m for a data breach that may have affected up to 339 million guests records.
Where was the lesson learned?
First of all, that wasn't the first cyber attack on Marriott International. In 2014, hackers attacked the Starwood Hotels group that was acquired by Marriott two years later. As we know, the company didn't take any recovery steps at that time. That's why the next attack was easier.
The first publicly noticed attack had placed in 2018. Again, the crisis management protocol wasn't implemented correctly, in consequence, until this time the attacker continued to have access to all affected systems, including:
|
• names
|
• arrival and departure information
|
|
• email addresses
|
• VIP status
|
|
• phone numbers
|
• loyalty program numbers
|
|
• passport numbers
|
|
That is why Marriott has been fined by the UK's data privacy watchdog. The hotel's chain failed to protect personal data as required by the General Data Protection Regulation (GDPR). Moreover, it failed more than once. Leaders responsible for cyber crisis management didn't identify and analyze gaps deeply.
What helped?
Marriott International carries insurance, including cyber insurance. This helped to pay up the fines.
What can you learn from this?
Lessons learned:
SummaryClick to read
Nowadays, cyber crisis management is important the same for a micro and large company.
The difference is in the resources that you have. The smallest business the biggest responsibilities you have as an owner.
Remember that a cyber crisis may affect your company even if it is not a typical online business (e-business). Whenever you need a laptop, smartphone, printer, fax, mailbox, you need to consider cyber security management.
Finally, keep in mind that mismanagement may escalate the crisis or even create a new one.
Good luck!
|