What Two Questions Do You Need to be Prepared to Answer After a Cyberattack?

In this day and age, it’s prudent to think of a cyberattack as a “when”, not “if” scenario.   The truth is, your network is under attack right now and the tools and techniques utilized by your IT and Cybersecurity teams are (hopefully) keeping the bad actors at bay.  But what happens in the event of a breach?  Is your Crisis Management Team ready to answer the most difficult questions?

Most of us are (at least theoretically) familiar with the technical aspects of cybersecurity.  They include network security, intrusion prevention and detection and cyber forensic tools to contain and eradicate the threat.  But it is equally important to have a clearly defined response plan for your Crisis Management Team.  While the techies are off working to resolve the breach, your leadership team will need to mitigate impact to your organization’s reputation, operations and financials.  And the best way to accomplish this is to a) have a pre-defined cyber response plan in place and b) consider several key decisions that your organization might face during the crisis.

You might want to include your cybersecurity response plan in your organization’s crisis management plan. The plan should define key roles and responsibilities, identify insurance requirements and establish default positions to critical decisions you may be required to make.  These default positions allow you to pre-consider how you would approach these decisions based on:

• Your Core Values
• Principles of How You Conduct Business
• Your Risk Appetite
• Company Goals
• Insurance Requirements

The best approach is to determine your default position while allowing yourselves to change your mind as the situation evolves.  This is done by identifying thoughtful considerations that could move you off your default position.  By pre-defining a default position and adding thoughtful considerations, you are reducing the likelihood of ‘off the cuff’, emotional decision making and preparing your leadership team so that they are not thinking about something for the first time.

The cybersecurity response protocols that I’ve written for clients typically include between seven and ten key decisions.  Today I want to focus on two critical decisions that your organization would likely have to face during a cybersecurity attack.

In each example, I’ve picked a default position to demonstrate how the process works.  Note that your default position may differ.  That’s fine.  Base your positions on the principles and requirements of your organization.

Related: Ransomware as a Crisis

1. Will You Pay Ransom?
   This is the elephant in the room and the decision that everyone wants to address first in every tabletop exercise that I’ve run. For the purposes of this article, I will take the position that no, we will not pay a ransom unless it becomes in our best interest to do so.  That means there must be a compelling business case to move the organization towards paying a ransom.  Here are some considerations that might change our position:

• Your cyber insurance provider. I can’t stress how important it is to understand the requirements of your insurer and to run exercises with them prior to a significant cyberattack so that you fully understand what their position is going to be regarding key decisions. Insurance is meant to protect you, but if the insurer’s point of view doesn’t align with yours, who has the final decision?  Run through a couple of scenarios in tabletop exercises with your insurance company present to avoid being surprised during a real incident.
• Personal harm. What if the ransom demand poses a credible threat to public safety or to one of your executives or your employees?  Would that change your position?  Money is one thing, but if your people are threatened, or if there is a broader risk to public safety, the decision may be taken to a different level.
• Data leakage. I ran a tabletop exercise with a client recently and we had one vice president who refused to believe that the data was breached.  He took the position that we would never pay the ransom because he didn’t believe the hacker had the data.  But what if there was credible evidence to support claims of the breach?  What if the hacker included a sample of the stolen data as part of the ransom demand?  What if a ‘proof of life’ email was sent to your company?  Would either of these things change your perspective?  What if the hacker sent proof of the stolen data to the media?
• Capability to recover the affected system. I saw a news report not long ago about an organization that paid a hacker so that they could recover their locked servers. The head of the organization admitted that they had no way to recover the servers and that the hacker ‘had them over a barrel.’  What if you found yourself in a similar situation, if you were unable to recover lost / compromised data / platforms, would that change your position about paying the ransom?
• Optics. This may be different from industry to industry.  I spoke with one client who had a particularly strong view that paying a ransom equated to funding a terrorist.  Others are concerned about the optics of paying (or not paying) and how that affects the outcome of the incident.  For example, if you decided not to pay a ransom and the incident resulted in a major privacy breach, what would the reputational impact be to your organization?

2. Should You Engage the Media?
   In my comprehensive cybersecurity response plan, this question isn’t asked in isolation. It’s part of a broader communications strategy that needs to be considered. But even in isolation, there is value in reviewing this key decision ahead of time, so that your strategy is in place – based on the principles that you’ve defined.  If you do choose to engage the media, be honest but don’t share more than you should.  Never cover up facts or minimize data exposure.  This will only make things worse later. For the purposes of this article, I will take the position that no, we will not engage the media, unless it is in our best interest to do so.  But what could move us off that position?
   • Sensitivity of the information at issue. In George Carlin’s comedy routine from “Carlin on Campus” he reported this “news story”: “A man has barricaded himself inside of his house, however, he is not armed, and no one is paying any attention to him.”  If this isn’t a story, don’t make it one.  But if the breached data is highly sensitive or affects a large number of people, it would be prudent to get in front of the story and control the message.
   • Brand impact. It’s never a good idea to stay silent while your brand’s reputation gets dragged through the mud.  If this is happening, give strong consideration to when you will engage the media.
   • Likelihood of media coverage anyhow. I read an article a few months back where a hacker actually issued a press release claiming to have the data of a well-known organization.  As you might have guessed, that led to significant media coverage.  The breach victim then had no choice but to respond to the media.   This put the organization in a position of playing catch-up, rather than having the opportunity to define the narrative and control the message.
   • If there is inaccurate information in the public domain. A news report comes out saying that your company had a major data breach and 10,000,000 customer files and credit card numbers have been exposed.  Phones are ringing off the hook.  The only problem is – it isn’t true.  Yes, there was a breach and yes customer order history was exposed, but no financials were included.  You bet you need to get in front of this as quickly as possible and correct the information that’s being consumed.

Related: What should media engagement look like in the first 60 minutes of a crisis?

This is a small sample of the type of questions that I lay out in my cybersecurity response plans.  It changes your Crisis Management Team’s perspective when dealing with a pressure-packed incident.  Instead of wondering how to respond, the team can say “Okay, we’ve thought this through, and our position is _______”.  Then they can ask, “Is there anything that would compel is to move away from that position”?  By using the default position and pre-defined considerations, your leadership team can establish a response plan that based on your organization’s principles rather than the emotions of the hour.

As with any response plan, it is critical to exercise this plan.  Not long ago I worked with a client to exercise their plan.  It was after weeks of developing the response plan, reviewing the core principles and default positions.  We knew our communications strategy.  At least I thought we did.  As I presented the scenario and the team worked through the plan, a senior leader ‘went rogue’ and took a position that was completely contrary to the documented response – and to the principles the document is based on.  It was a great learning opportunity because the exercise stress-tested the principles to see how they would apply in a real-life scenario.

Have you developed a cybersecurity response plan for your Crisis Management Team?   I can’t stress the benefit of laying out a principled response plan that gives consideration to likely decisions that your team will face during a significant attack.  Don’t delay!

Mark Hoffman

Senior crisis management and business continuity consultant with cybersecurity response and crisis communications experience in a leadership role, spanning twenty years.

Proven track record in developing and implementing crisis management, business continuity and cybersecurity response protocols, and establishing mature business continuity programs and effective governance models.

Quick to build relationships and achieve results working collaboratively with business leaders and executives.

Extensive experience in the development and execution of tabletop and operational exercises with a focus on measurable results that lead to overall improvement of plans and programs.

Feel free to contact Mark to see how he can help your organization be well prepared: [email protected] or on Twitter @mhoffman_cbcp