The massive increase in cyberattacks and the rapid evolution of advanced criminal techniques requires every single business in any sector to take protective measures to strengthen its cyber perimeter and minimize risk. To deal with this peril, businesses must incorporate security measures and comply with security standards and regulations to improve their cybersecurity defenses for their assets, revenue, and reputation.
These are all proactive steps that a business must take as part of the initial lineup in the cybersecurity arena. Along with these protective measures, part of any sound cybersecurity practice must include crisis planning.
Crisis Management Fundamentals
A company is considered resilient if it can manage crises. To ensure resilience, effective crisis management must be understood, developed, deployed, and validated in the context of a range of disciplines, including business continuity and security management. This requires a forward-thinking, methodical strategy that builds structures, teaches people to operate within them, and is continuously, purposefully, and rigorously assessed and modified. The development of a crisis management capability must be a regular and continuous effort, proportional to the size and capabilities of an organization.
Crisis management in cybersecurity must not be confused with risk management. Risk management is the defensive strategies and measures that a business develops and takes to better protect its assets from cyberattacks. Crisis management deals with everything after a successful attack. It is the management of the event’s aftermath that tries to keep the “falling parts” united, to absorb the shockwave, and if properly executed, to be the lifesaver of the affected organization.
Why and when a crisis occurs
A crisis occurs when disruptive incidents, such as a cyberattack, cause immediate strategic implications. These can be malicious or negligent acts, or failure to deliver qualitative goods and services. Furthermore, a crisis occurs when poorly-managed incidents and business fluctuations are escalated to a point that has serious consequences for an organization’s revenue and reputation.
The incubation of these incidents over time that may lead to a crisis is a result of a lack of governance and management controls, poor, or no cybersecurity policy, overcomplicated processes ending up in “workaround” procedures, and flaws in supervision leading to “getting away with” undesirable behaviors. Peripherally, these problems can grow in a working environment that has been poisoned with an “us versus them” blame culture, and poor training that keeps cybersecurity awareness in a dormant state.
How Crisis Management can help
Crisis management prepares individuals for unanticipated events and situations in the company. It helps employees adjust well to sudden organizational changes. With relevant training, people can comprehend and evaluate the root causes of the crisis and cope with them in the best way possible.
Crisis management assists managers in developing methods to emerge from unclear situations, and in deciding on a future course of action. Furthermore, it enables managers to detect early indicators of a crisis, warn employees about the consequences, and take all necessary precautions. Essential features of a good crisis management plan include:
- Activities that help managers and employees analyze and understand events that might lead to crisis and uncertainty in the organization.
- Actions that allow personnel to respond effectively to changes in the organization's culture.
- Close coordination amongst the departments to overcome emergencies.
- Panic control and patience, proper and regular communication with the employees, clients, stakeholders, and the media.
- Realistic training.
- Ability to adapt well to changes and new situations.
Crisis leadership and decision-making for business continuity
To be able to implement an effective crisis capability, an organization must first invest in its personnel; people who are aware of crisis management, who can quickly analyze situations, set strategies, determine options, make decisions, and evaluate their impact.
Efficient crisis management needs staff who are able to share, support and implement top management’s vision, intentions, and policies, by applying the right resources in the right place, and at the right time. To succeed, a business must set processes to translate decisions into actions, evaluate those actions, and follow them up.
Size and resource availability matter in crisis management, as it defines how capabilities can be developed. Small companies can meet the crisis management roles and requirements with a few well-trained people, whereas large enterprises need to scale personnel, and resources, and compose crisis management teams (CMTs) to succeed in the management of a potential crisis.
Train for the unexpected
The consequences of a crisis are extraordinarily complex, and potentially severe; the organization is under serious stress that affects information processing and communication. The ecosystem during a crisis is often chaotic, uncertain, and extremely unstable.
Leaders need to be exposed to the challenges of a crisis during training and exercises so that they are aware of the potential need to make decisions urgently and without “having all the facts on the table”. This might be counter to the typical business-as-usual approach of an organization, and therefore involves a change of culture. Changing the organization’s culture to work at times of stress and challenge can be exceptionally difficult.
The only practical way of preparing leaders for this is rigorous, realistic, and repeated training, which allows them to test all the implications of plausible “what if” scenarios. They must also be able to impose calmness, authority, and confidence, supported by decisiveness. Equally important, they need to be visible all over their area of responsibility so that they exert control.
A sound crisis management strategy needs proper superior communication. Communication is the first action after a crisis event. It shares relevant information about the event to the world and the stakeholders. While it is important to remain candid and truthful, you may not be able to reveal details that would hinder any active investigation. It is mandatory to know your audience. It is crucial to be a successful spokesperson and know how to handle the crowd and the media. Knowing how to use the social media toolbox is an advantage under these extremes, as it helps smooth the rough surfaces of a crisis-knocked business.
Decision-making is the process that leads to the selection of a course of action from more than one alternative option. At its core, crisis response involves making decisions based on the best information available, and turning these into directions and actions that control events and minimize the crisis impacts.
At the strategic level, this means being able to steer the organization out of the crisis and on to business continuity and future success. Factors that improve the effectiveness of the decision-making process are established policies, and experienced and well-trained crisis management teams.
Decision-makers must be aware of the issues they confront and realize that there are tools and approaches available to help them manage and reduce the effect of uncertainty on human cognitive abilities. This lessens the chance of making individual or collective decision errors.
The goal of crisis management is to minimize the aftermath, and any collateral damages, ensuring business continuity after a major incident. As so, every business that respects its reputation and cares for its prosperity and growth must be prepared to that end and build a rigid crisis management framework, in order to be able to remain resilient in the event of any unfortunate event.
About the Author:
Christos Flessas is a Communications and Information Systems Engineer with more than 30 years of experience as an Officer of the Hellenic Air Force (HAF). He is an accredited NATO tactical evaluator in the Communication and Information Systems (CIS) area and the National Representative (NatRep) at Signal Intelligence CIS and at Navigation Warfare (NavWar) Working Groups. Christos holds an MSc in Guided Weapon Systems from Cranfield University, UK. He has also attended numerous online courses such as the Palo Alto Networks Academy Cybersecurity Foundation course. His experience covers a wide range of assignments including radar maintenance engineer, software developer for airborne radars, IT systems manager and Project Manager implementing major armament contracts.
Christos is intrigued by new challenges, open minded, and excited for exploring the impact of cybersecurity on industrial, critical infrastructure, telecommunications, financial, aviation, and maritime sectors.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.