Phishing attacks, insider threats, denial of service disruptions, malware and ransomware — cybersecurity incidents like these happen on a daily basis. For most of these incidents, the onsite IT team will remediate based on a pre-developed plan and process. And for many of these incidents, that’s a solid approach.

But those incident response plans and strategies are IT oriented and geared toward short-term fixes and single incident responses. Meaning, if an incident accelerates beyond a handful of infected laptops or a compromised server and begins to affect operations of all or even part of the organization, business itself can be disrupted — or even shut down entirely.

When a Security Incident Becomes a Company-Wide Crisis

The aftershocks of an incident-turned-crisis can be profound. In 2013-2014, a global internet services provider (which was in the process of being sold to a new parent company) fell victim to just such an attack. The credentials of three billion user accounts were exposed, along with the personally identifiable information (PII) of 5 million customers. But one of the more striking fallouts of the crisis — along with tainted reputation and diminished brand value — was a reduction of roughly $350M to the final sales price of the company.

And therein lies the difference between a cybersecurity incident — one handled solely and efficiently by IT — and a cybersecurity crisis, which affects multiple organizations within a company (or the entirety of the company itself). Seldom do executives find themselves in a situation where they must explain an individual cybersecurity incident and its response to the board of directors and shareholders. But in a crisis when the aftershocks are profound — such as a $350M reduction in sales price — executives can be assured they will likely be tapped to offer insight and explanation.

Learn more

Elements of a Cyber Crisis Plan

It’s critical for a business to have a well-defined plan of action in place to respond as efficiently and quickly as possible to a cyber crisis. This is best achieved if the business has implemented a cyber crisis management plan. A cyber crisis management plan is a strategic approach that allows an organization to respond in unison — not in siloes. The cyber crisis management process will accompany the incident response management process that is followed by the cybersecurity team. Working together, both processes will deliver a unified technical and business response to a cyber crisis.

Advance preparation is critical for building a cyber crisis management plan for an organization. Solid preparation must include planning and testing a crisis response and identifying key stakeholders from across the business, such as HR, finance, PR/communications, marketing and client success. This ensures that members from outside the IT/Security function understand that they too have an important role to perform. Working together under pressure as a team to minimize the overall impact to the business and may lead to a more effective outcome from the crisis.

There isn’t a prescribed format for a cyber crisis management plan — they need to be custom built based on business priorities and most valuable assets. There are, however, common elements often found in many plans:

  • Definition of a crisis
  • Process for qualifying, declaring and de-escalating a crisis
  • Key stakeholders with defined roles and responsibilities
  • Decision-making processes and with a defined chain of command
  • Regulatory and compliance disclosure requirements
  • Crisis communications plan

Lather, Rinse, Repeat: Test and Update Your Plan Regularly

Having a cyber crisis management plan in place is a good first step to prepare for a potential cyber crisis. Equally important is updating the plan regularly, at least annually, and sharing it with all key stakeholders. Ideally, stakeholders should have access to current versions of the plan in both hard copy as well as online, in the event the network becomes inaccessible during an event.

Ask the Experts

IBM Security X-Force has experts who’ve worked with organizations to develop both incident response plans as well as business-wide cyber crisis management plans. This ensures both plans work together to help minimize risk and impact to a business if an incident turns into a crisis.

Clients have the option to access this expertise through a retainer that provides a broad portfolio of capabilities that help fortify organization resilience, including plan and playbook development, adversary simulation assessments, exercises to test plans and identify gaps, underpinned by world-class threat intelligence of the IBM X-Force Threat Intelligence Services.

To learn more, download the IBM Security X-Force Cyber Crisis Management solution brief, or ask the experts directly by scheduling a consultation.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…