Developing Cyber Crisis Response Capabilities
Characteristics of a cyber crisis
We should start by defining what a cybersecurity crisis is. Typically, it might be confused with an incident response plan and although they are definitely different, the way we manage the incident response process might end up in a serious crisis.
An incident response plan refers to a methodology to cope with day-to-day cyber security events, like virus infections, malwares, DDoS and phishing attacks etc…
In the case of a crisis, we are facing a situation that might seriously impact the organization, its reputation, financial stability and even its viability as a business.
What is at stake, the potential reputation and business impact
During the crisis, the executive management team and particularly the CEO are going to be put in the spotlight in a process that in some cases might be very quick and quite difficult to manage without the right preparation.
A sequence of discussions within the company among the different teams involved, as well as interactions with regulators, the media, supervisory authorities and potentially to the data subject or affected individuals might take place in a short period of time.
A strong communication plan will not only help protect customers, but also help your company mitigate any brand image damage and loss of revenue.
Key elements of a crisis management plan
- Identification of the key executive stakeholders including representation from legal, privacy, risk, IT, compliance and corporate communications
- Clear definition of roles and responsibilities of each stakeholder
- Explore “What if” scenarios evaluating the potential impact, planned response activities and resulting recovery processes. This analysis will enable the organization to define severity levels and the definition of specific response protocols
- Templates of statements tailored for customers, business partners, media and external agencies;
- Pre-crafted communication templates for breach notifications as required by applicable privacy laws, for example GDPR.
- Arrangements to immediately provide identity and credit protection services to affected individuals if needed.
- Identification of forensics experts that might help in investigating or mitigating data breaches.
- Identification of potential negotiation experts, for example in the case of ransomware.
The cybersecurity crisis management process
Every crisis is different. Nevertheless, we can approach them following this structured process with important activities before, during and after the crisis hits.
We divide the process in four different phases as highlighted by the US National Institute of Standards and Technology (NIST) and also in the Government of Canada Cyber Security Event Management Plan:
- Preparation: involving general readiness to a broad range of cybersecurity events. During this phase, roles and responsibilities are defined, procedures defined and tested and teams trained.
- Detection and Assessment: involves monitoring of diverse information sources, discovery of cyber events, reporting from affected departments and an initial assessment of the impact level.
- Containment, eradication and recovery: includes all response actions required to mitigate impact, containment and eradication and root cause analysis and investigation.
- Post-event analysis: covering lessons learned analysis, review of processes and procedures recommending changes to continuously improve the crisis management capability.
Figure 1: crisis management process
Practice makes perfect: crisis simulation and war gaming
There is general consensus that the key question is not “if” but “when” your organization is going to be hit by a cybersecurity event. As a consequence it is absolutely crucial to prepare in advance and to be ready in order to respond in a way that minimizes that impact for the organization’s reputation, its customers and all key stakeholders. This preparation should be articulated through a formal cybersecurity crisis management plan which needs to be tested regularly.
As the cyber threats landscape continues to evolve and the regulatory framework is moving towards imposing severe fines on data breaches, it seems there is unanimity that being cybersecurity fit is of the utmost importance, in particular for financial institutions.
Despite such unanimity on the need for cybersecurity fitness, the strategy and tactics followed or implemented and solutions deployed to achieve that goal are diverse, some definitely more successful than others, and are seriously influenced by the organization’s culture, their cybersecurity maturity, previous experiences with cyber events, market and regulatory regime as well as the financial resources available.
Some of the leading financial institutions around the planet are following the path of either implementing cyber ranges or gaining access to those infrastructures from some of the leading consulting firms in the Industry.
A cyber range is basically a virtual environment where you can simulate your information systems, networks, tools and applications and test your preparedness in a safe manner. The system generates an enterprise class network which acts as the target or victim network. The network simulates traffic and replicates network services.
A cyber range represents a perfect and legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing.
Sometimes the people involved in the process have cyberwarfare backgrounds and their goal is to enable different teams within the financial institution to react properly in the case a cyber event happening.
New terms like cyber simulation are becoming more common and the industry as a whole is moving towards the creation of shared cyber ranges as the costs of implementing and maintaining such complex infrastructures are high, even prohibitive, for tier-2 or tier-3 financial institutions.
The Financial Sector Information Sharing and Analysis Council, or FS-ISAC, the industry’s cyber threat information-sharing hub, has already built out a cyber range.
Other interesting examples of the use of cyber ranges, might be Wells Fargo using this concept to train its cybersecurity teams or diverse IT integrators, and consulting companies building cyber ranges to offer them to financial institutions.
There is also a wide offer from cybersecurity companies providing cloud sandboxing, out of the box cyber ranges and other specialized products to help banks to build cyber ranges in a cost effective way.