Cyber crisis response: 4 common pitfalls and how to approach them
15 May 2017
In recent years my team and I seem to have delivered more crisis response projects around cyber than any other threat or risk issue. In fact, the current ratio is probably about 5:1 in favour of the world of hacking, breach and data loss.
In that time we have seen and learnt a great deal. We have seen what makes an organisation more confident and prepared, and we have understood some of the more common issues. Some of these issues could have been anticipated while other pitfalls have been self-generated and should - and could - have been avoided.
It is worth exploring four of the more common issues and how they might be managed:
- Challenged by the timeline. Many significant cyber events that require senior leadership involvement are both historic and ongoing; that is, the original breach or penetration could have happened months or years before and may still be active at the time of discovery and still not completely understood by the technical team responding to it. The length of the timeline can unnerve leaders who are used to becoming involved at the very outset of an incident and/or expect the very basic facts to be understood by the time they are invoked to deal with business impacts and consequence management. In a cyber incident they are often presented with a situation that has many unknowns, could still be ongoing and could worsen significantly. This means that rather than making decisions in an environment where the impacts are known leaders are now forced into decision - or often indecision - while the situation continues to worsen with no end-state in view.
- Challenged by the decision environment. The timing issue brings with it a behavioural challenge; we like to understand things before we make decisions. We want to weigh up facts and options and use our own experience as well as guidance from others to make important choices. Sometimes the situation in a cyber crisis is still emerging and verifying facts may take days and possibly weeks (if ever) to determine. Leaders are faced with a most uncomfortable situation; making choices without truly knowing what the problem or the solution is.
- Challenged by the tone from the top. The decision-making challenge can be a very personal one for leaders and teams, but it sits surrounded by a culture built over time to suit each organisation. That culture is uniquely constructed through learned behaviours and experience, but is heavily influenced by the tone set from the top. Based on the values of the leadership (whether stated or implicit through their actions) they influence the norms to deliver, for example, a culture of fast-paced entrepreneurship or considered-conservatism. The problem is that these are business-as-usual cultures that are entirely appropriate for normal activities but which may be, depending on the incident that has arisen, deeply threatening for crisis response.
- Challenged by the changing context. The context of response to cyber crises is that leaders often don’t understand the detail of what is happening and the actual situation is in constant change. A few years ago, organisations might be able to (and some did) fall back on the luxury of thinking themselves as “victims” of cyber attack. That time has passed. We have to accept that in the same way we pro-actively secure our buildings, detect physical security breaches and deal with unauthorised and undesirable activity inside them, in the current age we also have to do the same for our digital estate.
So does cyber bring challenges that appear to be unprecedented? It will be no surprise to experienced Business Continuity and Crisis Management leaders that the approaches that have minimised these issues and supported better outcomes are not specific to cyber events but to crisis leadership approaches in general:
- Invest focus, time and effort. The organisations that find themselves more confident and better prepared to avoid, detect and respond to cyber incidents have invested in their response capability. Sometimes this means additional investment in technology and expertise, but it always means investing time in understanding key threats and exercising responses with the right teams, including tactical and strategic layers.
- Embed cyber expertise into the organisation’s crisis response approach. Organisational leaders have been responding to incidents related to natural hazards, property, human behaviour, technology among many since commerce began. The best leaders surround themselves with people who know about the things they do not, like operations, security, facilities, HR, technology and communications experts. In most organisations cyber expertise has been integrated into business-as-usual but must also be integrated into the joined up organisational response capability.
- Set tone from the top based on values. My experience with leaders across industries and sectors suggests that one single piece of advice can unlock the key to delivering a response no matter what the cause and effect: focus on the values that your organisation stands for. We often don’t have perfect information during an incident. We often don’t know the exact nature of the problem or what might happen next. But if we seek to make timely decisions that reflect the genuine values of who we are as a leadership and an organisation, we will be heading in the right direction.