As cyber-attacks lead to crises which are characterised by unprecedented extent, scale, visibility and impacts, it has become necessary to adapt the way we train against those attacks. Here are 5 tips to keep in mind when training your crisis cell to handle a cyber-crisis in 2018.
As stated wisely by 17th century poet Jean de La Fontaine : “Rushing is useless; one has to leave on time” – considering the emblematic cyber attacks which have marked the year 2017, this saying perfectly fits to describe the current state of cyber crisis management. How does this new trend impact the way companies should train against cyberattacks? Do crises exercises currently organised within major companies really cope with those new stakes?
Tip #1: Be accurate : your scenario should be fast paced while long-lasting
Companies which have had to face worldwide Wannacry and Not Petya cyber attacks have all shared one common element in their feedback: the underestimation (or absence of estimation) of the crisis length. Once the alert was given, each and one of them have dedicated themselves 100% to resolve the crisis for as long as it may take. Did this come out right? Of course not. After hearing staff talking about last minute switch, 20 hours of exhausting work over and over, 4 hours sleep at night… and in the end, a significant exhaustion. A cell crisis must take the habit from the first hours of the crisis to evaluate its duration, by looking at the incident without too much optimism. Anticipating a long term crisis particularly implies a rotation planning right from the first hours of the crisis and to make the sharing of the information a priority.
Tip #2: Include a BCP activation in the action plan
Hyperconnection – the resilience challenge – The theme of the 2018 International Cybersecurity Forum is eloquent. If resilience is highlighted in this international event focusing on cybersecurity, it’s because the damages on activities can be important. A massive lack of workstations – due, for example, to a cryptolocker – implies for the cell crisis to include and define in its action plan a continuity strategy and a post-disaster recovery.
Tip #3: Your Communication Director must work together with the CISO
Data leaks, defacement, ransomware… A familiar slang for us, yet it does engender confusion for the lay public. In fact, the media coverage of recent worldwide cyber attacks has often been characterised by a rather rough and sensationalist tone – sometimes at the expense of the content. Now, picture a CISO looking for a way to spread urgently the basics of cyber threats to his communication manager, while trying to understand alone the technical specificities of the ongoing attack: wouldn’t it be quite a complex exercise? A continuous effort to train the communication teams is essential as they have to deal with journalists. Crisis exercises can be an occasion to initiate or deepen the comprehension of each other’s topics and procedures.
Tip #4: Invite your colleagues who work abroad
Internet has no borders, cyber crises neither. Considering both their impacts and the teams they call up in their resolution, cyber crises rarely stay confined to a single national territory.
When preparing for cyber-crisis, you shall remember to:
- Identify regional points of contacts;
- Integrate a coordination process with the regions within your overall crisis management process – taking into account the time difference for example.
A good way to test the coordination between located teams in different geographical zones (help desks…) consists in unrolling a scenario which simulates a major incident outside working hours.
Tip #5: One cell is not enough
The responsibility of handling a cyber crisis is not confined to the CISO perimeter anymore. Reputation damage, impacts on clients, consequences on the activity, financial loss, juridical risks… cyber attacks impact way more than just the information system. As a result, they involve multiple actors and should be managed with a multidisciplinary and transversal approach.
This implies specificities which must be taken into consideration when defining the participants in the cyber crisis exercises:
- The cells must bring various profiles together; for example, with the enforcement of data privacy law GDPR, a data-leak scenario would be difficult to address in the absence of a lawyer.
- IT crisis cells, SOC, BU cells, group crisis cells… It is essential that these decision-making and operational actors are able to interact effectively with the right level of information.
Therefore, simulating a cyber crisis must help clarify and/or refine the repartition of the roles and responsibilities of each cell, and ease communications between them. The written scenarios will have to be convincing, integrate major impacts and a variety of inputs in order to bring together at least a decisional cell and an operational one.