Phishing attacks, insider threats, denial of service disruptions, malware and ransomware — cybersecurity incidents like these happen on a daily basis. For most of these incidents, the onsite IT team will remediate based on a pre-developed plan and process. And for many of these incidents, that’s a solid approach.

But those incident response plans and strategies are IT oriented and geared toward short-term fixes and single incident responses. Meaning, if an incident accelerates beyond a handful of infected laptops or a compromised server and begins to affect operations of all or even part of the organization, business itself can be disrupted — or even shut down entirely.

When a Security Incident Becomes a Company-Wide Crisis

The aftershocks of an incident-turned-crisis can be profound. In 2013-2014, a global internet services provider (which was in the process of being sold to a new parent company) fell victim to just such an attack. The credentials of three billion user accounts were exposed, along with the personally identifiable information (PII) of 5 million customers. But one of the more striking fallouts of the crisis — along with tainted reputation and diminished brand value — was a reduction of roughly $350M to the final sales price of the company.

And therein lies the difference between a cybersecurity incident — one handled solely and efficiently by IT — and a cybersecurity crisis, which affects multiple organizations within a company (or the entirety of the company itself). Seldom do executives find themselves in a situation where they must explain an individual cybersecurity incident and its response to the board of directors and shareholders. But in a crisis when the aftershocks are profound — such as a $350M reduction in sales price — executives can be assured they will likely be tapped to offer insight and explanation.

Learn more

Elements of a Cyber Crisis Plan

It’s critical for a business to have a well-defined plan of action in place to respond as efficiently and quickly as possible to a cyber crisis. This is best achieved if the business has implemented a cyber crisis management plan. A cyber crisis management plan is a strategic approach that allows an organization to respond in unison — not in siloes. The cyber crisis management process will accompany the incident response management process that is followed by the cybersecurity team. Working together, both processes will deliver a unified technical and business response to a cyber crisis.

Advance preparation is critical for building a cyber crisis management plan for an organization. Solid preparation must include planning and testing a crisis response and identifying key stakeholders from across the business, such as HR, finance, PR/communications, marketing and client success. This ensures that members from outside the IT/Security function understand that they too have an important role to perform. Working together under pressure as a team to minimize the overall impact to the business and may lead to a more effective outcome from the crisis.

There isn’t a prescribed format for a cyber crisis management plan — they need to be custom built based on business priorities and most valuable assets. There are, however, common elements often found in many plans:

  • Definition of a crisis
  • Process for qualifying, declaring and de-escalating a crisis
  • Key stakeholders with defined roles and responsibilities
  • Decision-making processes and with a defined chain of command
  • Regulatory and compliance disclosure requirements
  • Crisis communications plan

Lather, Rinse, Repeat: Test and Update Your Plan Regularly

Having a cyber crisis management plan in place is a good first step to prepare for a potential cyber crisis. Equally important is updating the plan regularly, at least annually, and sharing it with all key stakeholders. Ideally, stakeholders should have access to current versions of the plan in both hard copy as well as online, in the event the network becomes inaccessible during an event.

Ask the Experts

IBM Security X-Force has experts who’ve worked with organizations to develop both incident response plans as well as business-wide cyber crisis management plans. This ensures both plans work together to help minimize risk and impact to a business if an incident turns into a crisis.

Clients have the option to access this expertise through a retainer that provides a broad portfolio of capabilities that help fortify organization resilience, including plan and playbook development, adversary simulation assessments, exercises to test plans and identify gaps, underpinned by world-class threat intelligence of the IBM X-Force Threat Intelligence Services.

To learn more, download the IBM Security X-Force Cyber Crisis Management solution brief, or ask the experts directly by scheduling a consultation.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today