[BreachExchange] A CEO’s guide to managing a cybersecurity crisis

[Destry Winant]

https://www.itproportal.com/features/a-ceos-guide-to-managing-a-cybersecurity-crisis/

A cyber-breach can not only cause significant damage to a company’s
operations, sales, reputation and stock price, but also end the
successful career of a CEO or CSO - as happened with some cyberattacks
in recent years.

So much so that Allianz Risk Barometer 2020, the largest risk survey
worldwide, acknowledged critical business interruptions as a result of
cybersecurity breaches to be the most severe risk to organisations.

While you can never pre-empt a cybersecurity crisis, you can buy time
by putting in place a well-rehearsed and effective cyber-resilience
strategy, which is crucial to mitigating the worst effects of an
attack, while keeping the business going. This is increasingly a hot
topic for chief risk officers, chief information security officers,
and company boards as they consider the best approach to bounce back
from cyber-assault.

Good preparation is a must, but in order to be able to react quickly
and avoid long-term damage, businesses need to simulate a cyberattack
to understand the right responsibilities, potential process gaps or
technology issues. This could include a tabletop exercise, where
relevant executives huddle around a table to wargame how a scenario
could develop.

Yet, even for the best prepared, a cyber-crisis could occur at any
given moment. What should you do, if you are the CEO of an affected
company?

First - Take command

Get your hands dirty – simply delegating the work to the IT team
during a cyber-breach can be dangerous for both the company and for
you personally. Don’t learn this the hard way - cyber-risk does not
just affect your IT network but also every aspect of your business.

Operational disruptions and litigation costs have an instant impact on
your reputation if not prioritised properly. Shareholders are
therefore beginning to seek personal consequences for companies
involved with a cyber-crisis. Effective management of a cyber-breach
necessitates board level engagement at both the COO and CFO level;
however, the CEO is often the best person to manage it.

Next – communicate

Nobody wants to be in the news in relation to a cyberattack and be
challenged by the public and press as a result. Was it poor
cybersecurity or a nation-state hacker? Do you really understand the
full extent of leaked data? Could there be any further backdoors the
attackers might use to sabotage activities?

A cyber-crisis is almost always very intricate - it can take from
months to years to answer all those questions. Though, public opinion
on how professionally a company has managed the incident will be
determined by its communication strategy. Will you opt for secrecy,
full transparency, or the dangerous way in between?

We can but only speculate about the success rate of incidents that
were kept in the dark, however there’s enough evidence to support this
- most large enterprises that attempted to keep a cyber-crisis under
wraps and were busted afterwards failed big time with their
reputation.

Furthermore, the company has to manage all relevant internal
stakeholders and vendors to comply with potential regulations for
obligatory reports. A number of regulators ask for extremely fast
reports; for example, the Monetary Authority of Singapore (MAS)
demands notification within a few minutes.

Yet, there are of course many technical variables outside of your
control. For instance, a range of impactful cyber-breaches were
reported by security researchers, who identified evidence of a
compromise based on external telemetry and malware samples.

There are many advantages to treating your cyber-crisis transparently
such as public support by authorities, researchers, and customers.
However, you still need to be ready to take the pressure in
communication and execution.

Then - Seek cybersecurity expertise

Most companies employ their own CISO and security staff who are
responsible for responding to the cyber-crisis. But, let me ask you a
question: Did they really see the full cyber-crisis and experience it
end-to-end? If you have not run proper tabletop exercises yet and your
dedicated team has never dealt with a cyber-crisis before, don’t try
to work it out alone. Instead, consider seeking help from the
following stakeholders:

1) Cybersecurity incident and crisis specialists: Crisis and technical
analysis reports can likely be done more effectively by external
companies that have handled similar situations or the same threat
actor. For example, most companies often lack legal experience or are
unfamiliar with the Tactics, Techniques and Procedures (TTPs) of the
threat actor.

2) Security vendors: Companies are often too shy to consider security
vendors as partners. The reality is that security vendors are probably
the best partners to help you mitigate the threat given their
experience with your security controls.

3) Peers: Cybersecurity requires team effort, so we have to be humbler
when working with our peers or even competitors. A lot of the threats
your organisation faces have already hit others you may know. Engaging
peers and asking for help is critical.

4) Law Enforcement: In many countries the involvement of law
enforcement is more of a formal act to register the incident. Yet, a
few countries have strong capabilities that focus not only on
investigation of the threat actors but also help defend your networks.
To address the cause of cybersecurity in a sustainable way, it is
always good to engage with law enforcement during or after an
incident.

And use smart containment

If you randomly follow all recommendations available out there,
containing a cyber-crisis could take years. So, how do you challenge
your CISO on the balance between incident containment and keeping the
business going, whilst avoiding panic mode?

A company’s task force can be smart by applying a risk-driven
containment approach to address the most pressing questions:

1) Why were we hacked in the first place?

2) What are our crown-jewels and were they impacted?

3) How do we mitigate the threat?

Before even trying to mitigate the threat, you have to triage the
first and second question correctly. At times, it is necessary to keep
the attacker in your own network for a while, in order to determine
their true motives. If the motivation is destructive you better get
them off the network ASAP.

For all targeted attacks aimed directly at your company and with a
defined purpose, such as trying to steal information for espionage or
to sabotage the IT infrastructure, there is one key question you
should always ask your CSO - Have we identified patient zero?

Similar to virus outbreaks in our world, patient zero can help you
reconstruct the path of attack and track down potential hidden
backdoors the attacker created as a backup in your network, in case he
gets identified. If your task force fails to identify patient zero,
they won’t be able to confirm if the attacker is still in the network
or determine the full scope of the attack.

Finally - Be safe, not sorry

How has the cyber-crisis affected your business from a reputational,
legal, financial and technical perspective? Were there any financial
losses as a result of being unable to run a server for the last 20
hours?

Estimate the overall cost of the attack. Identify an ongoing
operational impact if time was lost working on important projects.
This analysis is required not only when the company has hedged its
cyber-risk with insurance but will also help to derive investment
needed in cybersecurity.

Ultimately, most organisations that experience a cyber-breach dedicate
a significantly increased budget towards cybersecurity. Focusing on
principles such as Zero Trust, improving cyber-hygiene, and
simplifying security processes and technologies are some of the most
important – and easiest – things to do.

Top tip for cyber-resilience

No matter your industry, a proper cyber-resilience plan cannot be
neglected if you want to be prepared for the worst-case scenario.
Reducing the scope of damage caused by a cyberattack is the primary
aim of the plan. Attempting to secure the network is one thing but
activating a well-thought out and stress-tested business-continuity
plan in the event of an attack can save your organisation huge amounts
of money and time. So, be well prepared.