Preparation for a critical cyber event is just as important, if not more important, than the response to the actual event. Such was the common agreement among panel members at this year’s highly successful NY Tech Summit at Turning Stone Resort in Verona, NY, presented by TERACAI and CXtec.
The panel was uniquely comprised of leading experts from the four knowledge centers necessary for a company facing a real or possible cyber incident:
Alan Winchester, a leader in the Cybersecurity Protection and Response Practice Group and partner at Harris Beach PLLC attorneys at law, provided a legal perspective.
Mark Ballister, Security Intelligence and Response Manager at Paychex, shared a specific company’s experience and insight.
Evan Bloom, CEO of Fortress Strategic Communications, explained the essential role of communications and public relations before, during, and after a crisis.
Vikas Bhatia, Founder and CEO of Kalki Consulting, provided a cybersecurity perspective.
Legal expert Alan Winchester identified four key areas of neglect or error which, if addressed, can prevent a crisis from turning into a catastrophe. First, even companies with robust policy documents often lack the formal procedures necessary to operationalize their policies in real time.
To successfully navigate a significant cyber event, a company needs both comprehensive policies to inform every employee of his or her goals and obligations, along with tested procedures that ensure the best possible outcomes. Each procedure must be aligned with each cybersecurity policy in effect. Many of the cyber events Winchester and his colleagues have addressed on behalf of clients often stemmed from a failure of people to understand or follow procedures, not from a failure of hardware or software.
The second area of concern that Winchester noted is the widespread perception that cyber events are a problem limited solely to the Information Systems (IS) department. In fact, the reality is that such events raise a much broader issue of corporate risk; as more and more information is maintained electronically, a cyber event has greater potential to generate widespread, significant impacts across many core functions of an organization.
Certainly IS has a significant role in addressing and managing cyber events, and features heavily in the development of procedures and tactics for policy documents. However, formation of policy documents and assessment of risk and risk tolerance requires collaboration from many stakeholders beyond IS including Risk Management, Legal, Human Resources, Procurement, and Manufacturing, Each of these groups can contribute to a risk minimization strategy ranging from insurance, indemnity, or waiver provisions in contracts, to identification of critical data or equipment, to a more complete understanding of stress points for the organization.
The third area of risk occurs when an organization has an incomplete understanding of what information they are presently storing; where that information is maintained; and the extent to which that information is exposed. Without this awareness, a company is ill equipped to respond to a significant cyber event. This vulnerability ultimately comes down to incomplete information governance and inadequate management of a document’s life cycle.
Finally, Winchester points out that many companies fail to understand and appreciate the long-term collateral issues associated with a significant event. Organizations typically focus on remediating the issue leading to the event, neglecting to pay sufficient attention to preserving the necessary forensics to allow the organization to defend itself against complaints from customers, regulators or other third parties. In addition, the documentation surrounding the remediation is often not prepared with litigation and legal discovery processes in mind, and may not fully reflect the decisions and issues the company faces.
Mark Ballister, Security Intelligence and Response Manager at Paychex, a business that offers payroll, HR, and benefits solutions for midsize to large businesses, observes that common mistakes involve two key areas: third-party relationships and poor communication strategies.
Establishing strong third-party relationships before a cyber event is vital. Relationship building takes time--a luxury a company in crisis cannot afford. Robust working relationships with key partners such as local and federal law enforcement, incident response providers, data breach resolution providers, cyber insurance providers, external legal counsel and crisis communications management providers, etc. ensure all partners are fully on board when help is needed.
Companies without effective communication strategies in place before an event occurs often rush to communicate before all details are available. In the chaos of a crisis, preliminary numbers are often inaccurate. Sharing faulty data with stakeholders can exacerbate any lack of trust the company may be facing as a result of the breach. Working with a crisis management coach can help a company identify what to say, when to say it, and how to say it. Focusing on when and how to communicate makes a critical difference in the reception, perception, and dissemination of the message.
Public relations expert Evan Bloom of Fortress Strategic Communications outlines three common PR mistakes many companies make when preparing for a cyber event. The first is not having an active communications plan that reaches employees, the media, customers, and partners. Recipients of crisis messaging should be familiar with the company before trouble strikes. When informed stakeholders know and understand a brand, they are more likely to be open to and positive about crisis messaging. Further, while a solid reputation established well before an event won’t prevent a crisis, it does serve to soften the impact of negative public and media scrutiny.
The second error Bloom notes is the assumption that “it can’t happen to us because we are too small.” The reality is that if a business is connected to employees, vendors, and customers via the internet, it is a target and an accident waiting to happen. The statistics are alarming. According to Small Business Trends, out of all cyberattacks, 43% target small business, and a whopping 60% of small businesses go out of business within six months following a cyberattack. No business, no matter how small, is immune, and threats are just as real internally as they are externally.
Finally, Bloom says that the third serious mistake is senior management neglecting to establish a coherent crisis posture for the company. Leaders need to repeatedly communicate that the company has a crisis management and communications strategy in place, and regularly inform and educate employees about what is expected of them. They need to “walk the talk” and set the tone.
If employees see senior management taking the threat of a cyber incident seriously, if they see policies and procedures being implemented, and if they see those that flout the rules being dealt with or challenged, then the right message will be communicated and the correct tone set. At the end of the day a company is only as secure as its weakest element—and unfortunately that is usually its employees. Internal communication to foster risk awareness and readiness is a crucial element of a successful response to a crisis.
Cyber event readiness
According to Alan Winchester, from a legal perspective, effective preparation for an adverse event entails that a company first undergo a risk assessment calculated to tease out all the possible events they might face and delineate how those events might impact the operations of the organization. The various affected stakeholders should then form a committee to tackle each risk, focusing on the most significant risks first. The committee should be tasked with developing policies and procedures to eliminate, transfer, or reduce the risk commensurate with the threat it poses to the organization.
Training is key. An organization must train its people to behave in accordance with its policies. Plans need to be tested to make sure that they work. Every organization performs fire drills, which significantly reduce the risk of loss during a fire. Cyber events are like fires: they strike without warning, and a timely, intelligent response prevents widespread damage.
Winchester stresses that an organization should periodically revisit its policies and procedures to ensure they are still aligned with the company’s risk assessment. Reevaluation following each cyber event ensures the procedures accomplished their intended objectives or determines any improvements needed to either reduce the risk of the event reoccurring in the future or mitigating the consequences if the risk can’t be eliminated.
Evan Bloom adds that to be crisis communications ready, a company must begin to actively monitor both internal and external environments for threats ahead of time. Identifying potential issues that could develop into a crisis is a critical component of a readiness plan. Ongoing threat monitoring, identification, and assessment can result in proactive crisis communications and management, which helps minimize the risks the company could face in a crisis.
Secondly, a company needs to have an up-to-date and scenario-ready crisis communications plan in place. Many companies have an old crisis communications plan that is rarely if ever updated and is often too general to be adequately implemented during a cyber incident. For example, data breaches have a specific, significant compliance aspect to them, including communications aspects.
Effectively updated crisis plans are designed to be implemented quickly with specific strategies, tactics and policies for a wide variety of cyber incidents, and include key providers. In the heat of a critical event, there is no time to work out procedures and identify specialized service providers, such as credit monitoring companies; these protocols and connections must be well established beforehand.
Furthermore, many companies fail to practice and test their PR plans. It is a fool’s folly to assume that the mere existence of a plan means the company is covered in an emergency. Plans have to be tested and exercised to identify and address problems, then updated for continuous improvement.
Mark Ballister recommends that a company test and follow plans annually at a minimum, and preferably quarterly. Testing via tabletop (scripted events), hybrid (mix of scripted and real scans), and finally a live exercise (real and scripted events) yields optimal results. Virtually every exercise will reveal advantageous tweaks that can forestall collateral damage in the future.
Ballister stresses that all stakeholders—employees, partners, vendors, etc.--must be prepared. Realistic expectations of what can happen during a cyber event will prevent confusion and error during the actual—and these days, inevitable—crisis. Preparation allows people to respond with speed and confidence.
National and international headlines illustrate how an unfortunate initial event can lead to a catastrophic cascade of damage due to poor preparation. Smart, fast, focused action protects assets and minimizes damage in the immediate aftermath of a crisis and well into the future.
Unfortunately, due to time constraints, Vikas Bhatia was unable to contribute to this article.
About Fortress Strategic Communications:
Fortress Strategic Communications provides specialized strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. FSC also provides market specific solutions for data breach events and counsels startups looking to enter the risk management arena. The company draws on their executives’ combined 20 years of global experience in a broad array of vertical markets. For more information please visit www.fortresscomms.com or contact us via firstname.lastname@example.org