Phishing attacks, insider threats, denial of service disruptions, malware and ransomware — cybersecurity incidents like these happen on a daily basis. For most of these incidents, the onsite IT team will remediate based on a pre-developed plan and process. And for many of these incidents, that’s a solid approach.

But those incident response plans and strategies are IT oriented and geared toward short-term fixes and single incident responses. Meaning, if an incident accelerates beyond a handful of infected laptops or a compromised server and begins to affect operations of all or even part of the organization, business itself can be disrupted — or even shut down entirely.

When a Security Incident Becomes a Company-Wide Crisis

The aftershocks of an incident-turned-crisis can be profound. In 2013-2014, a global internet services provider (which was in the process of being sold to a new parent company) fell victim to just such an attack. The credentials of three billion user accounts were exposed, along with the personally identifiable information (PII) of 5 million customers. But one of the more striking fallouts of the crisis — along with tainted reputation and diminished brand value — was a reduction of roughly $350M to the final sales price of the company.

And therein lies the difference between a cybersecurity incident — one handled solely and efficiently by IT — and a cybersecurity crisis, which affects multiple organizations within a company (or the entirety of the company itself). Seldom do executives find themselves in a situation where they must explain an individual cybersecurity incident and its response to the board of directors and shareholders. But in a crisis when the aftershocks are profound — such as a $350M reduction in sales price — executives can be assured they will likely be tapped to offer insight and explanation.

Learn more

Elements of a Cyber Crisis Plan

It’s critical for a business to have a well-defined plan of action in place to respond as efficiently and quickly as possible to a cyber crisis. This is best achieved if the business has implemented a cyber crisis management plan. A cyber crisis management plan is a strategic approach that allows an organization to respond in unison — not in siloes. The cyber crisis management process will accompany the incident response management process that is followed by the cybersecurity team. Working together, both processes will deliver a unified technical and business response to a cyber crisis.

Advance preparation is critical for building a cyber crisis management plan for an organization. Solid preparation must include planning and testing a crisis response and identifying key stakeholders from across the business, such as HR, finance, PR/communications, marketing and client success. This ensures that members from outside the IT/Security function understand that they too have an important role to perform. Working together under pressure as a team to minimize the overall impact to the business and may lead to a more effective outcome from the crisis.

There isn’t a prescribed format for a cyber crisis management plan — they need to be custom built based on business priorities and most valuable assets. There are, however, common elements often found in many plans:

  • Definition of a crisis
  • Process for qualifying, declaring and de-escalating a crisis
  • Key stakeholders with defined roles and responsibilities
  • Decision-making processes and with a defined chain of command
  • Regulatory and compliance disclosure requirements
  • Crisis communications plan

Lather, Rinse, Repeat: Test and Update Your Plan Regularly

Having a cyber crisis management plan in place is a good first step to prepare for a potential cyber crisis. Equally important is updating the plan regularly, at least annually, and sharing it with all key stakeholders. Ideally, stakeholders should have access to current versions of the plan in both hard copy as well as online, in the event the network becomes inaccessible during an event.

Ask the Experts

IBM Security X-Force has experts who’ve worked with organizations to develop both incident response plans as well as business-wide cyber crisis management plans. This ensures both plans work together to help minimize risk and impact to a business if an incident turns into a crisis.

Clients have the option to access this expertise through a retainer that provides a broad portfolio of capabilities that help fortify organization resilience, including plan and playbook development, adversary simulation assessments, exercises to test plans and identify gaps, underpinned by world-class threat intelligence of the IBM X-Force Threat Intelligence Services.

To learn more, download the IBM Security X-Force Cyber Crisis Management solution brief, or ask the experts directly by scheduling a consultation.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…