Phishing attacks, insider threats, denial of service disruptions, malware and ransomware — cybersecurity incidents like these happen on a daily basis. For most of these incidents, the onsite IT team will remediate based on a pre-developed plan and process. And for many of these incidents, that’s a solid approach.

But those incident response plans and strategies are IT oriented and geared toward short-term fixes and single incident responses. Meaning, if an incident accelerates beyond a handful of infected laptops or a compromised server and begins to affect operations of all or even part of the organization, business itself can be disrupted — or even shut down entirely.

When a Security Incident Becomes a Company-Wide Crisis

The aftershocks of an incident-turned-crisis can be profound. In 2013-2014, a global internet services provider (which was in the process of being sold to a new parent company) fell victim to just such an attack. The credentials of three billion user accounts were exposed, along with the personally identifiable information (PII) of 5 million customers. But one of the more striking fallouts of the crisis — along with tainted reputation and diminished brand value — was a reduction of roughly $350M to the final sales price of the company.

And therein lies the difference between a cybersecurity incident — one handled solely and efficiently by IT — and a cybersecurity crisis, which affects multiple organizations within a company (or the entirety of the company itself). Seldom do executives find themselves in a situation where they must explain an individual cybersecurity incident and its response to the board of directors and shareholders. But in a crisis when the aftershocks are profound — such as a $350M reduction in sales price — executives can be assured they will likely be tapped to offer insight and explanation.

Learn more

Elements of a Cyber Crisis Plan

It’s critical for a business to have a well-defined plan of action in place to respond as efficiently and quickly as possible to a cyber crisis. This is best achieved if the business has implemented a cyber crisis management plan. A cyber crisis management plan is a strategic approach that allows an organization to respond in unison — not in siloes. The cyber crisis management process will accompany the incident response management process that is followed by the cybersecurity team. Working together, both processes will deliver a unified technical and business response to a cyber crisis.

Advance preparation is critical for building a cyber crisis management plan for an organization. Solid preparation must include planning and testing a crisis response and identifying key stakeholders from across the business, such as HR, finance, PR/communications, marketing and client success. This ensures that members from outside the IT/Security function understand that they too have an important role to perform. Working together under pressure as a team to minimize the overall impact to the business and may lead to a more effective outcome from the crisis.

There isn’t a prescribed format for a cyber crisis management plan — they need to be custom built based on business priorities and most valuable assets. There are, however, common elements often found in many plans:

  • Definition of a crisis
  • Process for qualifying, declaring and de-escalating a crisis
  • Key stakeholders with defined roles and responsibilities
  • Decision-making processes and with a defined chain of command
  • Regulatory and compliance disclosure requirements
  • Crisis communications plan

Lather, Rinse, Repeat: Test and Update Your Plan Regularly

Having a cyber crisis management plan in place is a good first step to prepare for a potential cyber crisis. Equally important is updating the plan regularly, at least annually, and sharing it with all key stakeholders. Ideally, stakeholders should have access to current versions of the plan in both hard copy as well as online, in the event the network becomes inaccessible during an event.

Ask the Experts

IBM Security X-Force has experts who’ve worked with organizations to develop both incident response plans as well as business-wide cyber crisis management plans. This ensures both plans work together to help minimize risk and impact to a business if an incident turns into a crisis.

Clients have the option to access this expertise through a retainer that provides a broad portfolio of capabilities that help fortify organization resilience, including plan and playbook development, adversary simulation assessments, exercises to test plans and identify gaps, underpinned by world-class threat intelligence of the IBM X-Force Threat Intelligence Services.

To learn more, download the IBM Security X-Force Cyber Crisis Management solution brief, or ask the experts directly by scheduling a consultation.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today