"That will never happen"

A new approach to Cyber Crisis Management

... > Crisis and Resilience services > "That will never happen" - A new approach to Cyber Crisis Management.

A new approach to Cyber Crisis Management

Author: Luke Fletcher, Senior Crisis Consultant at Secura

As a Senior Crisis Consultant in the cybersecurity industry, I see a shift in how organizations prepare themselves for a potential cyber crisis. Traditional risk assessment methods are no longer sufficient. They often result in measures only being taken for the most likely incidents.

However, it is usually events considered unlikely that cause the greatest impact, for which organizations are not prepared. Regulators recognize this, so here is my wake up call: prepare for the WORST…

I see two big challenges organizations face:

  1. Determining what the worst case scenario could be and to what extent you should prepare.
  2. Linking the technical, operational and tactical response to strategic crisis management.

Let’s look at how you can start to tackle these challenges.

1. Preparing for the Severe but Plausible

A recent study published by the European Union Agency for Cybersecurity (ENISA) states the EU is ‘an era of permacrisis and polycrisis’.

What does this mean? Permacrisis is defined as a long period of great difficulty, confusion, or suffering that seems to have no end. Polycrisis is defined as the simultaneous occurrence of several catastrophic events.

A rather stark picture unfortunately. This means the challenge for many organizations is to determine what a worst case scenario crisis looks like for them and what resources to invest in preparing for this. Particularly as regulators across Europe, with NIS2, DORA and other regulation in mind, expect resilience even for the most ‘severe but plausible’ events.

‘That will never happen’

As the expectation is that your organization remains resilient, even against worst case scenarios, former risk based approaches are no longer effective. In my experience as a crisis manager, I find that many organizations find this a difficult concept to accept.

I can recall a few examples in my career where I have proposed a high severity scenario as an idea for a crisis exercise, only to have this shot down by the statement ‘that will never happen’.

Yet, in a few standout examples, and coincidentally, almost the exact scenario proposed materialized in a similar fashion not long later. I imagine in 2016 before the Not-Petya attack on Maersk, that their risk assessments would have dubbed the scenario that unfolded in June 2017 highly unlikely, limiting the desire for resilience investment.

The key to solving this challenge

So, what should you do instead? The key to solving this challenge is to first ensure you have a crisis framework that is adaptable enough to deal with any kind of crisis. Fortunately, a team of experts in the crisis management field recently created a new International Standard on Crisis Management to help organizations with this. The standard is ISO22361 and provides details on how to implement a crisis framework, principles and processes as per the diagram below.

Image in image block

Source: iso.org

Review case studies

Another key way to prepare your organization for a full-blown cyber crisis is to review case studies on how cyber attacks have impacted other organizations. Learn the lessons they have learned and then consider how those scenarios could have been worse.

Exercise these scenarios to see how your organization would respond. What if a power outage hadn’t occurred in Ghana at the same time as the Not Petya attack on Maersk (that preserved a clean copy of their domain controller data). What if a second ransomware attack hits you shortly after the first?

2. Operational, Tactical and Strategic Teams should prepare together

The second big problem that I see many organizations struggle with is the cooperation between Operational, Tactical and Strategic teams. A cyber crisis like a ransomware attack requires a coordinated response from across the organization.

This is a challenge, because organizations are not responding regularly to cyber crisis events (thankfully!). This means that technical and strategic teams rarely interact in such scenarios. Even when performing crisis exercises, these teams usually exercise independently and rarely simultaneously.

In practice, I often see that even if they do exercise at the same time, technical teams sometimes find it difficult to relay information in a concise, non-technical way for strategic teams to understand and base their decisions on.

Making sure that your response processes at operational level align with tactical and strategic responses is key for effective coordination. To make this possible, it is important to exercise these processes across all layers of the organization simultaneously. That is the only way to determine their effectiveness, and it requires practice.

Conclusion

In my job as Senior Cyber Crisis Consultant, I see that many organizations still underestimate the preparation required to ensure an effective response to cyber crises. I believe all organizations should prepare more consciously and thoroughly for severe cyber incidents that ‘will never happen’. You should prepare for those incidents in exercises with Operational, Tactical and Strategic teams together.

Cyber crisis management is no longer just a checkmark on your compliance list, but a condition to survive.


The cybersecurity world is changing. Subscribe to our Cyber Vision Newsletter on LinkedIn to learn more about the changing nature of cybersecurity, and the future of cyber resilience.

About the author

Luke Fletcher, Senior Crisis Consultant at Secura

Luke Fletcher is a Senior Crisis Consultant at Secura with over 10+ years of international experience in crisis management and operational resilience.


Luke holds a BSc (Hons) First Class in Disaster Management & Emergency Planning and has operated within the Finance, Energy and Higher Education sectors.


He is a passionate professional and has built crisis management capabilities internally, coordinated the response to major crises and delivered numerous crisis and resilience projects to clients including the design and delivery of cyber crisis exercises.

Related Services

Crisis Management Services

Article image

Discover how our Crisis Management Services can help your organization prepare for the worst.

ABOUT SECURA

Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.