Cybersecurity: how to get organised in a crisis?
“There are really only two types of company: those which have been attacked and those who have been attacked but don’t know it yet”. As Alain Bouillé rightfully notes, cybersecurity crisis management has a vital role to play within organisations. As a matter of fact, the exponential rise in threats requires getting organised to tackle attacks head on and in the best conditions.
For organisations, it is no longer a question of if, but rather of when they will be the victims of a major security incident and what reflexes should be adopted when it does.
Organisations know the growing need – and sometimes the obligation – to protect their data assets from cybersecurity threats. Moreover it is important to deploy the means for prevention and defence in proportion to the issues, namely the fight against industrial espionage and the protection of sensitive information, etc.
Whether within a private or public company, on a national or even global scale, a crisis can happen at any given moment and spread like wildfire. To respond to the crisis, every organisation must adopt a procedure that is fully adapted to its environment, making it possible to coordinate with both urgency and efficiency.
Case study: data leak at L’Express magazine
The crisis experienced by the French weekly magazine L’Express in early 2018 which affected the data of nearly 700,000 readers is representative of the reality of these issues. The magazine had left a server containing a database with the personal information of its readers unprotected for several weeks. The database contained their full names, addresses and job titles. Whilst the magazine had been alerted to the leak on several occasions, it failed to intervene immediately which allowed the malicious hackers to demand a ransom.
Which elements were at fault here? First of all, the reader database – the magazine’s strategic asset – found itself lacking sufficient security. This is not only a technical fault: the absence of response from the weekly magazine also suggests a failure within the organisation.
This insufficient security was amplified by the company’s apparent inability to act quickly in order to resolve the problem, which continued to compromise the affected assets. Eventually, following the event’s media coverage, the magazine’s situation quickly went from incident to a state of crisis, due to the company’s difficulties in managing the public exposure of its security breach.
These failures prevented the organisation from moving forward and managing the incident correctly, and from maintaining adequate resilience to the crisis situation.
3 steps for successful crisis management
Managing a major security incident involves rigorous and well-planned organisation with well-defined steps.
When the major incident disrupts the organisation’s normal operations, then it is in a state of crisis. Where possible, we must not wait for a serious incident to arise before giving it some thought: the key to successful crisis management is foresight.
Step 1: Anticipation and preparation
Anticipation means implementing a system for responding to incidents that includes all stakeholders (security, legal, communications, etc.). It is crucial to have at your disposal a crisis management process, even a brief one.
Some useful measures might be proposed, namely:
- Implement a RACI matrix: this assigns the roles and responsibilities that will determine who is concerned in case of a major security incident, who intervenes, the role of each person and what actions must be implemented in such a situation.
- Deploy specific logistics: this involves being equipped with the means necessary for conducting calm crisis management. This could be setting up a special place with restricted access (e.g., a war room), taking into account human resources (particularly if working overnight so that response team members can work through the night, take regular breaks, eat, make a tea or coffee, etc.).
- Determine how the crisis management will be played out: the chosen methodology for leading different remediation operations, to determine who will supervise and whether there are any key steps to remember. For example, it is useful to organise daily briefings at the beginning and end of every day to consolidate information with the whole team, to jot down everybody’s actions, to anticipate which internal authorities must be informed, plan whether any public organisations must be notified (see below).
- Seek feedback: the objective here is to draw up a report on how the crisis was managed, organise feedback on what needs to be set up to improve management, smooth out any sticking points for future crises or even warn other market players in an effort to foster cooperation.
Planning a process beforehand will help save time when the crisis strikes and direct the measures that need to be taken.
Step 2: diagnose, take decisions and act
As soon as a security incident becomes known, the organisation must be able to classify it: is it a “simple” incident or is the company at breaking point and therefore faced with an imminent crisis? Furthermore, is the data affected? Which systems are impacted? What are the first lines of investigation and confinement to be taken? How can the incident be terminated and resolved?
With the incident classified, the established action plan can be implemented and, if necessary, a crisis unit set up tasked with confining, blocking and resolving the consequences of the serious incident whilst documenting the events encountered during the management process.
- Set up a crisis unit: all stakeholders will take part. This involves security experts and IT, of course, but also personnel from management and the finance department (in case of a ransomware attack, for example), as well as team leaders depending on the services impacted by the major incident. Concretely, this involves making premises available, planning supplies so that the team can work without being interrupted, etc. On the technical side, if a traditional information system is compromised, it is often vital to set up a parallel IS. For example, in cases of Elevation of Privilege (EOP), the attackers will take over the whole system: computers and inboxes can no longer be trusted. Traditional security measures will now be inoperable because the attackers have been able to seize control over them.
- Scrupulously document the crisis management: a crisis can block and/or compromise the organisation’s information system. Making a logbook when the crisis first happens should preferably be in paper form in order to log all the actions taken by the unit members. Each day, the unit must follow an operating cycle with a morning briefing, intermediate meeting, evening briefing and report it to senior management. The goal here is to restore and cleanse the system so that operations can continue. Next, learning points from this crisis will be registered to find the causes of the compromise and solve any future system malfunctions.
It is essential to collect proof and, where possible, to document each step taken. Doing so will enable you to prove that all the means possible were put into place to resolve the crisis but will also feed into the information taken during any potential complaint. Fully documenting the event will enable the organisation to move onto the next step: communication and notification.
Step 3: notification and communication
When a major security incident arises, GDPR expects the Data Officer to notify the relevant authorities no later than 72 hours after first noticing it. This notification might come with an obligation to alert impacted parties when there is an increased risk concerning their rights and liberties.
The Data Officer must be able to analyse the situation and centralise the information required for the notification as quickly as possible.
In the L’Express data leak example, if the GDPR had been applicable in January 2018, then the magazine would have had to perform said notification of the violation within the deadline to the Commission nationale de l’informatique et des libertés (CNIL – the French national data protection agency). This notification would have been accompanied by certain mandatory information such as the nature of the personal data violated, the categories of the impacted data and the people concerned, a description of the likely consequences or even the measures taken to resolve it.
The mandatory notification of security incidents is not only the domain of the GDPR. It is also applied to certain sectors or specific organisations, hence for example why, in France, vital operators must notify the French national agency for information systems security (ANSSI) of any security breach. Healthcare organisations, on the other hand, must flag up these incidents to the regional healthcare agencies as soon as they can.
Crisis management is unavoidable for a resilient organisation
A crisis always carries consequences. Whether this damages the interests of the organisation or the people whose data was impacted, the repercussions are quasi-systematic. For successful crisis management, it is necessary to use foresight and to implement an adequate solution to resolve the problem efficiently.
Crisis management is unavoidable and never easy. It is the process that allows an organisation to resume operations as quickly as possible and to implement prevention measures to prevent this type of situation from happening again. It is therefore necessary to reflect on the management of major cybersecurity incidents and to seek support on how to go about it.