Cybersecurity Crisis Management: What Can Go Wrong and How to Get It Right

by Natalia Smalyuk and Ian I. Mitroff

SolarWinds, the Colonial Pipeline, Canada Post. Hardly a week goes by without a massive hack hitting the headlines. The new pandemic of attacks, with threat actors targeting critical sectors, from public service to infrastructure to healthcare and the COVID-19 vaccine supply chain, not only looks like, but increasingly is an actual cyber war. What’s changed the battlefield? What does it mean for organizations and their ability to protect themselves from such attacks and the crises they unleash? We asked this of crisis and security experts across industries to understand better what can go wrong and how to get it right. What emerged were nine common mistakes that organizations need to correct if they are to keep themselves safe and secure.

Not investing in cyber defense

According to the Cisco Security Outcomes Study: Endpoint Edition, over 40 per cent of organizations report having had a major security incident in the last two years. In the vast number of breaches, current protections were inadequate.

When a disastrous hack compromised thousands of organizations across the globe through a malicious code snuck into SolarWinds’ network-management software updates, the New York Times characterized SolarWinds as a “ripe target” for the assault due to its “dubious security precautions.” The company was criticized for its weak protections for passwords and for not having a Chief Information Security Officer. 

While organizations lag behind in their cyber defenses, the intruders are continually upping their game by exploiting system vulnerabilities. According to the 2021 IBM X-Force® Threat Intelligence Index, ransomware is the top threat, comprising 23 per cent of all attacks. Traditional defenses, such as strong passwords, two-factor authentication, antiviruses and firewalls, are no longer enough. The shift to remote work brought on by the pandemic opened new doors for cyber criminals. It was facilitated by the large numbers of employees accessing tremendous amounts of data on a plethora of devices and cloud applications. The anticipated post-pandemic transition to hybrid workplaces will, no doubt, create new gaps. Heading into 2022, organizations should re-think the entire continuum of prevention, detection and mitigation to boost their resilience to cyberattacks.

Not having a cyber Crisis Management plan

According to the Gartner report, only 37 per cent of organizations have a response plan for cyber incidents. Relying on existing business continuity plans to weather security breaches is a common mistake. In brief, hacks are a fundamentally different kind of “animal” than fires or floods. Other than ITs, the technicalities are poorly understood by other groups, not to mention the general public. Substantial unknowns make it difficult to communicate regarding a breach because investigating the scale, impacts, and root causes may take days or even months. Human factors, such as the risk of exposing personal information and the role of malicious actors, coupled with privacy acts, complex notification procedures, and public disclosure protocols in different jurisdictions, make it particularly challenging. “Borders have disappeared when it comes to data, but not the privacy laws that govern it,” says Brent Arnold, a cybersecurity leader at the law firm Gowling WLG. Finally, hackers may well sneak into the very channels that enable crisis communication. Maersk, a victim of a NotPetya ransomware attack, left its stakeholders in the dark when its systems went down.

All of this requires new crisis plans and thinking that deal specifically with cyber events, starting with an audit of a company’s risk profile and its vulnerabilities to various kinds of attacks. Potential crises can then be classified based on the level of threat they pose to an organization and its stakeholders. Special attention needs to be paid to what can be done to bolster prevention, detection, and response plans for each of the key types of crises. Unfortunately, those crises that are classified as low threats often have an uncanny way of doing great damage. They are ignored at our peril.

Not updating a cyber Crisis Management plan

A list of the different types of cyber crises is never complete. New types and subtypes are constantly emerging. For example, ransomware attackers adopted big game hunting and double extortion tactics, combining data encryption with threats to leak sensitive data on public sites. X-Force discovered intruders who were using targeted spear phishing campaigns against manufacturing businesses and NGOs involved in the vaccine supply chain for COVID-19. To stay ahead of their adversaries, organizations constantly need to monitor trends and to update their cyber crisis plans on a regular basis – ideally, every quarter, at the very least twice a year.

Unfortunately, far too many consider such exercises a waste of time and money. If a threat scenario has not materialized recently, they deem it not worth the investment of resources. The problem with this “logic” is that it leaves an organization especially vulnerable to cyber crises and their disastrous costs. Preventing a breach – or mitigating it effectively – is far cheaper than dealing with a full-blown catastrophe. According to IBM, the global average cost of a data breach in 2020 was $3.86 million, with the healthcare sector having the highest industry cost, at $7.13 million.

Not thinking about crises systematically

Organizations tend to view cyber readiness as issues for IT only. As a result, they don’t look at all of the factors that can lead to a breach, let alone those that can result from it. Indeed, it’s left primarily to engineers to create a secure cyber architecture. But true resilience requires true interdisciplinary cooperation. For this reason, Mitroff has argued that every serious crisis is a “wicked mess” – a phenomenon that was described by the eminent social systems scientist Russell Ackoff consisting of a system of problems that were highly interactive. In a “wicked mess,” seemingly unrelated or improbable events collide to create an even bigger mess. The right solutions may seem obvious in hindsight, but in real time, organizations struggle to cope as best they can. For example, when the COVID-19 pandemic hit, many organizations had lax policies for remote work. Again, in hindsight, it’s easy to say that they should have prioritized cyber security.  

Wicked messes require that they be viewed from multiple perspectives. The problem is that it takes a lot of collaboration to do so. Traditionally, organizations include the heads of IT, security, operations, finance, human resources, legal and public relations in their crisis teams. Some add their CEOs, board members, and government affairs experts. However, core teams also need to build relationships with their key partners who need to be brought in Before, During, and After crises. These include experts in cyber defense, threat intelligence, digital forensic, cyber insurance and legal services. Lines of communication with third parties and suppliers are highly recommended as well.

Not thinking about the continuum of “Before,” During” and “After” cyber events

In many ways, crises are comparable to icebergs. To be sure, the crisis is “visible” when it “hits the fan.” But most of the time, crises lie beneath the surface. Unfortunately, stakeholders don’t just see the tip of the iceberg alone. They see the disastrous chain reactions that result from the initial crises. For example, a malware attack on a supplier impacted 44 of Canada Post’s biggest corporate customers, and potentially up to one million Canadians.

The best way to address the Before phase of Crisis Management is by having explicit conversations with third parties about their cyber practices and adding joint crisis planning to contracts. (In brief, the Before phase includes all the things that need to be done before a crisis occurs to make an organization better prepared to handle it when it does occur, and even better, to help prevent it.)

The lessons that need to be learned after each breach need to serve as the basis for updated crisis plans. However, without an effective investigation, the causes of an incident cannot be understood, and therefore security breaches will continue to blindside an organization. This is where the After phase of Crisis Management morphs into the Before and During phases. Both are integral parts of Proactive Crisis Management. It also consists of learning from what happened in other organizations and contexts. For example, when the U.S. health insurer Anthem disclosed that hackers had potentially stolen the records containing the highly personal information of 80 million customers, the lesson for organizations across industries was that encryption was essential in order to protect sensitive data.

Not acting on early warning signals

Unfortunately, cyberattacks now happen frequently, often lasting over extended periods of time. While delays in detection make them difficult to manage and communicate, once again, stakeholders press for immediate answers. How bad is it? What took you so long to report the breach? Why did it happen in the first place? When Target’s payment and card readers were infected in 2013, critics speculated that the retailer either didn’t know how to use its FireEye malware detection data or neglected to report the breach.

To add insult to injury, organizations often learn they have been compromised from outside sources – customers, partners, journalists, social media, authorities, or attackers themselves. Home Depot wasn’t aware that its payment systems had been breached until it was notified by banks and law enforcement. Looking proactively for red flags, such as bad actors, irregular behaviors, unplanned updates, and unauthorized configuration changes, goes a long way in early detection and the mitigation of potential attacks. That’s why the design and deployment of effective warning systems is a critical part of Before.

Not conducting a deep assumptional analysis

The history of technology shows time and time again that innovators don’t consider all the uses, misuses, and abuses of their creations, let alone their unintended consequences. The default assumption is that consumers are responsible and reasonably intelligent. They will not exploit technology for nefarious purposes. Facebook’s proclaimed mission is to give people the power to build community and bring the world closer together. Sadly, Facebook’s platform also served as a prime vehicle for cyberbulling, spreading disinformation, hate speech, and fake news.

To uncover an organization’s weaknesses and inherent flaws, leaders need to surface and challenge critical assumptions that underlie important decisions and plans. One of the best ways of doing this is by assigning red teams – or “hackers for hire” – to poke holes in an organization’s cyber architecture and thus to understand how it can be exploited by criminals. Mitroff recommends going even further by digging down into the assumptions of cyber adversaries by what is known as “internal assassin teams.” For example, it’s known that ransomware attackers, such as Sodinokibi, went after law firms in 2020. If law firms thought like “assassins,” they could have hopefully anticipated such threats. Namely, “They’ll pay ransoms because they don’t want us to leak the secrets of their high-profile clients.”  Law firms could have thereby counter-attacked by the encryption of sensitive data. 

Not stress-testing crisis plans

Those who’ve been through major crises often use the same words to describe their experience as soldiers who’ve been thrown into battle. How many times have we heard that “being in a crisis is tantamount to being in a war”? Sophisticated hacker attacks are, indeed, a new battleground, and one for which we shouldn’t send soldiers without giving them basic training. “Battle readiness” is built through regular drills. Without them, crisis plans provide little more than a false sense of security. Regular decision exercises and scenario simulations test cyber defenses to pinpoint gaps and build coping strategies that are essential to persevering under extreme stress. Case studies train participants to think outside rigid rules when dealing with the evolving patterns of risk and the messy realities of crises.

Cyber awareness and crisis training should not stop with the formation of Crisis Management Teams. In fact, the biggest security risk in organizations is the errors or misbehaviours of ordinary employees. Confidential documents can easily be sent to the wrong parties. Key employees can lose their laptops, open phishing emails, or let outsiders use their log-ins. While these cannot be eliminated entirely, they can be mitigated by means of enterprise-wide cyber security training and “how-not-to” war stories.

Misjudging reputational risk

Crisis communicators run into many “what-if” dilemmas where they are damned if they do and damned if they don’t. Investigations can take months, if not years, but stakeholders want answers now. What, if anything, can the organization tell them and when? What if by breaking bad news, it sets off a perceptual crisis of its own making? FireEye was praised for admitting their SolarWinds breach in a blog detailing the incident and the company’s response, but others targeted in the same attack choose to wait and see.

Going silent and acting as if nothing happened is an all-too-common mistake. The Deloitte hack was first made public by the Guardian rather than by the company itself. Observers speculated that the delay in communication may have led a whistleblower to contact the newspaper. While it’s only natural for companies to feel that they need to confirm the facts and solve problems before disclosing them to the world, stakeholders favour those organizations that take full responsibility, communicate early, and show empathy. Uber failed to report a security incident and was forced to pay $148 million to settle claims over the alleged cover-up of a 2016 data breach where hackers stole personal information of 25 million customers and drivers in the U.S.

As the saying goes, the best defense is offense. Cyber-resilient organizations act, not react. To win an invisible war, they study their adversaries, anticipate their moves, and attack – and thus expose – their own vulnerabilities before hackers do. 

____________

Ian I. Mitroff is credited as one of the founders of the modern field of Crisis Management. He has a BS, MS and PhD in Engineering and the Philosophy of Social Systems Science from the University of California, Berkeley. He is Professor Emeritus from the Marshall School of Business and the Annenberg School of Communication at the University of Southern California. Currently, Mitroff is a Senior Research Affiliate in the Center for Catastrophic Risk Management, UC Berkeley, which brings together Crisis Management leaders from diverse industries to exchange their learnings and best practices. He has published over 40 books. 

Natalia Smalyuk, MBA, MA, is an award-winning communications strategist with a focus on crisis and reputation management. With a passion for helping people and organizations fulfil their missions and live their dreams, Smalyuk believes there’s no such thing as “business as usual.” Known for her ability to dig into the issues from a 30,000-feet-view right to the core to unpack insights and paths to value creation, she quickly zeroes in on the real problem. And the real story. Her firm NBAU Consulting offers crisis leadership consulting, planning and training to guide organizations through adversity and build resilience.