Phishing attacks, insider threats, denial of service disruptions, malware and ransomware — cybersecurity incidents like these happen on a daily basis. For most of these incidents, the onsite IT team will remediate based on a pre-developed plan and process. And for many of these incidents, that’s a solid approach.

But those incident response plans and strategies are IT oriented and geared toward short-term fixes and single incident responses. Meaning, if an incident accelerates beyond a handful of infected laptops or a compromised server and begins to affect operations of all or even part of the organization, business itself can be disrupted — or even shut down entirely.

When a Security Incident Becomes a Company-Wide Crisis

The aftershocks of an incident-turned-crisis can be profound. In 2013-2014, a global internet services provider (which was in the process of being sold to a new parent company) fell victim to just such an attack. The credentials of three billion user accounts were exposed, along with the personally identifiable information (PII) of 5 million customers. But one of the more striking fallouts of the crisis — along with tainted reputation and diminished brand value — was a reduction of roughly $350M to the final sales price of the company.

And therein lies the difference between a cybersecurity incident — one handled solely and efficiently by IT — and a cybersecurity crisis, which affects multiple organizations within a company (or the entirety of the company itself). Seldom do executives find themselves in a situation where they must explain an individual cybersecurity incident and its response to the board of directors and shareholders. But in a crisis when the aftershocks are profound — such as a $350M reduction in sales price — executives can be assured they will likely be tapped to offer insight and explanation.

Elements of a Cyber Crisis Plan

It’s critical for a business to have a well-defined plan of action in place to respond as efficiently and quickly as possible to a cyber crisis. This is best achieved if the business has implemented a cyber crisis management plan. A cyber crisis management plan is a strategic approach that allows an organization to respond in unison — not in siloes. The cyber crisis management process will accompany the incident response management process that is followed by the cybersecurity team. Working together, both processes will deliver a unified technical and business response to a cyber crisis.

Advance preparation is critical for building a cyber crisis management plan for an organization. Solid preparation must include planning and testing a crisis response and identifying key stakeholders from across the business, such as HR, finance, PR/communications, marketing and client success. This ensures that members from outside the IT/Security function understand that they too have an important role to perform. Working together under pressure as a team to minimize the overall impact to the business and may lead to a more effective outcome from the crisis.

There isn’t a prescribed format for a cyber crisis management plan — they need to be custom built based on business priorities and most valuable assets. There are, however, common elements often found in many plans:

• Definition of a crisis
• Process for qualifying, declaring and de-escalating a crisis
• Key stakeholders with defined roles and responsibilities
• Decision-making processes and with a defined chain of command
• Regulatory and compliance disclosure requirements
• Crisis communications plan

Lather, Rinse, Repeat: Test and Update Your Plan Regularly

Having a cyber crisis management plan in place is a good first step to prepare for a potential cyber crisis. Equally important is updating the plan regularly, at least annually, and sharing it with all key stakeholders. Ideally, stakeholders should have access to current versions of the plan in both hard copy as well as online, in the event the network becomes inaccessible during an event.

Ask the Experts

IBM Security X-Force has experts who’ve worked with organizations to develop both incident response plans as well as business-wide cyber crisis management plans. This ensures both plans work together to help minimize risk and impact to a business if an incident turns into a crisis.

Clients have the option to access this expertise through a retainer that provides a broad portfolio of capabilities that help fortify organization resilience, including plan and playbook development, adversary simulation assessments, exercises to test plans and identify gaps, underpinned by world-class threat intelligence of the IBM X-Force Threat Intelligence Services.

To learn more, download the IBM Security X-Force Cyber Crisis Management solution brief, or ask the experts directly by scheduling a consultation.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.