One of the things that will pump a little adrenaline into an average Tuesday morning at Gotham is a call from one of our clients in the midst of a genuine cyber crisis. Unfortunately, these calls are more and more common, so I thought I’d spend a few minutes talking about some things you can do get prepared for such a call. I’m glad you’re calling me, but I’d prefer that you also had some type of Cyber Crisis Plan that you prepared for such an occasion.
I know it’s customary at this point to spend a paragraph or two dropping a bunch of scary statistics regarding cyber crises. I’m going to save the ink as I’m kind of surprised it’s still necessary to point out that you will eventually have TBD (The Bad Day). Feel free to pop open a Google window and search for something like “inevitable cyber crisis” if you don’t feel sufficiently emotionally attached to this issue.
Let’s start by defining what differentiates a cyber crisis from an incident. Incidents happen to most firms on a fairly regular basis and can generally be dealt with as part of your normal business cadence. Cyber crises will generally contain one or more of the following elements:
- Significant business interruption
- Loss of material digital assets
- Damage to clients or partners and the associated financial and legal liability
- News coverage or PR issues
The first thing we’re going to need is a cyber crisis team. This team will generally have representation from the following areas - executive leadership, business operations, information security leadership, IT operations, legal, and public relations.
When pulling together your team, I think it’s useful to consider some of the decisions that this team might be asked to make:
- Do we go public with this breach? How? When?
- When will we inform our clients or partners of the damage? How will we compensate them?
- We might need to disconnect from the Internet for a period of time. Is that possible? What would the impact be?
It’s critical that the team be sufficiently staffed and empowered to make these decisions. Please also take note that this team is managing the crisis, not fixing it. Your existing cyber team will generally be working on fixing this issue from a technical perspective. The crisis team manages the crisis.
Next, you should establish some roles. There should be a single individual quarterbacking the situation as the crisis manager. There should be specific communication protocols for both internal and external communication. Generally there are specific people assigned to these tasks.
As an engineer, I don’t usually go for touchy-feely type things but I’m going to break with tradition. I think it’s useful to put down, in writing, a mission statement and core values for your team. Your team may find itself making some tough decisions that balance financial interests with long term brand and moral issues. Take some time to remind yourself of what’s really important (ex. our customers health, safety & welfare) at a moment when cutting corners isn’t as tempting.
And just to show you that I haven’t gone soft in my old age, here’s a slightly darker but equally important suggestion. Include outside counsel on your team. Like it or not, many crises are followed by long-term legal action on somebody’s part. Outside counsel is the one person in the world you can speak to (at least in this country) without having to worry about hearing your words come back to haunt you in a deposition. Whenever a question starts with the phrase “Would it be legal to …” say it to your outside counsel.
Now that we’ve got our team, what’s next? Practice. Have the most creatively evil person you know create some scenarios for you and walk through them as a team. Decide what to do and when. Decide whom to communicate to and how. Run your solutions by a larger group to get feedback.
As you walk through your scenarios, you’ll find that there are things the team will want to know and things they’ll want to do. Make a list of these things and make sure that you either get them in place or you’re prepared to live without them. Here are some starting points:
- Data regarding the breach. How many accounts have been compromised?
- Can we get an exact timeline? When exactly did this happen? How long has anyone known about it?
- If email is compromised, do we have an out-of-band method of communicating with our employees?
- What are our actual legal liabilities regarding compromise?
Use this list to make sure that your team has the right data and tools to be effective in the crisis.
If your data center is in Miami, I’m guessing you have a plan for hurricanes. If you’re operating out of NYC, you probably have a plan that covers a terrorist action. If you have digital assets and connect to the Internet you should get yourself a cyber crisis plan. Don’t be caught on TBD without one.