Cyberattacks are hammering businesses and public sector organizations – but when is it really a crisis?
Before dipping your toes into the considerable waters of cyber crises, you should first understand what a crisis is more broadly. That might sound elementary – it’s just a bad situation right? – but the definition runs deeper than you might think.
What is a crisis?
In the business world, a crisis is a serious event that disrupts regular activity and impacts operations negatively. Three key elements must be present for a situation to be deemed a crisis:
- The situation is stressful
- There is time for intervention
- There is a struggle (at some point) to manage the situation
Crises take many forms, both natural and man-made. They can arrive with little or no warning, like the SolarWinds hack, and thrust unsuspecting organizations into dangerous new territory. They can also emerge gradually like COVID-19, a classic slow-burn crisis. While some crises can be prevented, others cannot. However, the impacts of all crises can typically be lowered or managed. Consider this: the UK government earmarked pandemics on the National Risk Register in 2017, so why was the nation so ill-prepared?
Erika Hayes James, a business specialist at the University of Virginia, says there are two core types of organizational crisis:
- Sudden crisis – Circumstances that occur without warning and are beyond an institution's control. Organizations will not typically be blamed for the event, but they will be held accountable for their response. Take Malaysia Airlines for example; when flight MH370 went missing, it informed the passengers’ families via text message and was rightly ridiculed, which led to a plunge in share price. This doesn’t happen with all airline crashes.
- Smoldering crisis – Begins as a minor internal or external issue but gradually escalates to crisis level. Organizations are frequently blamed and held accountable for a lack of ability to anticipate, plan and prepare for the smoldering issue.
Two conflicting theories have also gained traction in the past year, as crisis management professionals themselves have wrestled to understand and articulate the COVID-19 pandemic:
- Black swan – An impactful event that comes as a complete surprise, is unforeseeable (to the extent something similar has never been witnessed, like a black swan), and is often inappropriately rationalized after the fact.
- Gray rhino – A highly likely yet ignored threat, like an approaching rhino. It is possibly staring you in the face but being overlooked due to cognitive bias, and its impacts are probably avoidable (or at least mitigatable).
Regardless of whether a crisis is preventable or caused by human/process error, it can have severe impacts spanning people, economy, assets, reputation and legal. Remember this using the acronym PEARL.
What is a cyber crisis?
A cyber crisis has the trademarks of a regular crisis but unfurls digitally (though its repercussions may well permeate the physical world, something we’re now seeing more frequently). It is any cyber incident that might seriously impact an organization’s reputation, financial stability and business continuation; for example, a ransomware attack. The NCSC defines a cyber incident as a “breach of a system's security policy in order to affect its integrity or availability and/or the unauthorized access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”
A cyber incident becomes a cyber crisis when such a breach has the potential to cause knock-on negative impacts on the stakeholders described by PEARL. Garmin experienced a cyber crisis in July 2019 when it was crippled by WastedLocker ransomware. The smartwatch specialist had to pull the plug on various services after its internal network and production systems were encrypted, which meant customers couldn’t use its GPS-tracking devices. Garmin’s reputation was damaged after a poor PR campaign and a failure to communicate quickly and transparently with customers. It also paid a multi-million dollar ransom to decrypt its data. Thinking back to PEARL, the impacts of this cyber crisis spanned people, economy and reputation.
What is crisis management?
Crisis management is how an organization handles an event that threatens to harm the organization and/or its stakeholders. It was popularized as a concept in the 1980s when significant industrial and environmental disasters sparked the need for coherent response preparation. (In addition to a number of high profile crises on oil and gas platforms during this period, the Johnson and Johnson poisoned Tylenol crisis of 1982 was a defining moment, as the pharmaceuticals company enhanced its reputation thanks to its crisis response – something duly noted by other enterprises.)
Crisis management is not just about the response phase though; it seeks to minimize the damage a crisis can cause and is a comprehensive process actioned before an incident. There are three key stages of crisis management: preparedness, response and recovery.
An organization will typically have a crisis leader – the COO for example – and a crisis manager. The crisis leader is the primary decision-maker, the leader of the organizational crisis management team; the crisis manager mobilizes that unit, ensuring each stakeholder understands their role and responsibilities. In larger organizations and more tightly regulated sectors these roles may be full-time; in others, they may be filled by senior business leaders who have additional responsibility for continuity and crisis management.
Effective crisis management also means considering the recovery phase while the organization is in the midst of the crisis, thinking of it as a process of moving forward stronger rather than recovering to the pre-crisis status quo. There should be a post-mortem with members of the crisis management team and, if warranted, other internal and external stakeholders. At a minimum, post mortems should involve core crisis management team members, such as finance and legal. This is a crucial part of the recovery process and an opportunity to outline better ways of doing things in future. If an organization fails to learn anything from a crisis situation, or even a “near miss”, it has failed.
Crisis management teams
Effective pre-crisis planning is about uniting key stakeholders, experiences and skills from within (and sometimes outside) the business so that key areas are represented in the risk and crisis preparation, response and recovery processes. Core crisis management teams typically incorporate legal, PR, HR, security, finance and operations staff (IT, for example). The crisis leader should exhibit strong decision-making and situational awareness skills. It is a high-pressure role, but the dedicated crisis manager will delegate tasks to the key stakeholders operating below, particularly those in Silver (Tactical) and Bronze (Operational) response teams.
Today, the best systems are those that take a holistic approach, covering preparedness, response and recovery, viewing crises through the lens of organizational impact; however, prescriptive management systems are still commonplace, and this can lead to ineffective crisis response – especially in cyber terms.
Cyber crisis management
People are the crux of crisis management systems, especially in the remote-work environment that is fast becoming the norm. Organizational teamwork is therefore crucial. Typically, however, cyber crisis management is trained through tabletop exercises, where everyone must sacrifice time to gather round a table and discuss how they would approach a situation. Each individual represents a different part of the business or team and has their input, but not every part of the exercise is relevant. For example, legal representatives are often roped in, yet they are only required for a small part of the day.
The Immersive Labs Cyber Crisis Simulator works differently, providing regular micro-drilling to build muscle memory. It has already helped organizations improve individuals' cyber crisis response skills, but it will soon unite strategic and operational teams too, with every decision impacting the next. This version will enable asynchronous participation in realistic crisis response; the relevant person for each task is simply notified when they need to make their contribution, with a full briefing on their colleagues’ decisions included. Their actions have a direct impact on the next person in the chain – a cross-organizational exercise that brings the following benefits:
- Saved time, by ensuring employees are only involved in relevant moments
- Reduced costs, by cutting logistical overheads of arranging in-person events
- Increased muscle memory, by allowing exercises to be organized and run more frequently
This iteration of Cyber Crisis Simulator is still in progress, so keep your eyes on our social channels for updates. In the meantime, you can get a taste for the product by booking a demo using the button below.
18 January 2021
Ben Hockman, Crisis Management & Response SME, Immersive Labs