Cyber Crisis Management: A New Philosophy and Approach to Incident Response

Cyber crimes are becoming more and more common in the world of e-business. In fact, sensitive information is stolen at a rate that was unfathomable just a few years ago. The paper, which is published by PwC, relays that the average cost of a breach also has increased, as each incident cost a company $7.2 million on average. However, the reputation hit a company can take after a cyber incident is even more costly.

There are three groups of criminals who work to create havoc in the cyber world:

• Hacktivists:  Hacker activists who steal and disseminate confidential information in order to damage the victim’s reputation.
• State-sponsored:  Criminals who steal information for competitive advantage.
• Organized Crime:  Groups that steal information about customers and sell it underground.

The goals of these groups include the following:

• Significantly disrupting business operations
• Leaking sensitive information to the public for financial gain or a reputation hit to the company
• Obtaining sensitive economic information
• Gaining control of infrastructure
• Maintaining remote access and steal sensitive customer data or corporate information for extortion purposes

These groups often gain access to an entity’s system and are able to maintain their infiltration for periods of time that can extend into years.  Often times, companies try and put out a quick fire by patching the technical holes that caused the breach.  However, the problem isn’t solved at this point, as then the company has been exposed to operational, financial, and litigation risks.  In order to be fully prepared, companies need to have to create the capability to respond to a major event in the cyber universe.

The Cyber Crisis Plan
The immediate response to a breakdown in the cyber world is involving forensic cyber teams that determine why what happened occurred. However, when Congress calls the company to a congressional hearing to explain what happened, Congress usually isn’t satisfied by only hearing about reactive measures. Often, Congress wants to hear about a plan that involves preventative measures. 

The authors suggest the following phases for a Cyber Crisis Plan:

• Information Security Program:  The Company has an information security program that is designed in accordance with data security standards.
• Cyber Event Detection:  The event/breach is identified.
• Incident Response:  The Company’s incident response plan is initiated once the event is identified and a team is created to coordinate the plan.
• Internal Investigation:  The victim begins an investigation immediately.
• Third-party Forensic Investigation:  Outside investigators should conduct a forensic investigation, beginning no later than 24 hours after the event.
• Contact Law Enforcement:  As soon as the third-party investigation begins, the company should inform law enforcement of what occurred.
• Customer Notification:  Immediately after the forensic teams confirm whether or not confidential customer information has been stolen, the company should inform their clients of what happened.
• Containment and Remediation Plan:  A plan to repair the issue and prepare for media and legal scrutiny should be quickly developed and implemented.

By taking these steps, Congress will be able to see that the organization took control of the crisis and was proactive rather than being completely reactive.

More Than Just a Technical Solution
There are three steps to the response process. The first is to react to the problem by identifying the issue and determining the severity of the issue. Then the company needs to respond to the issue by containing the problem, performing forensic analysis, finding third parties to help with the problem, and notifying customers. The final step is to resolve the problem by repairing control deficiencies, returning to normal operations, and notating the lessons learned.

In order to fully respond and resolve issues, a company may need to bring in threat support analysts, response teams, forensic investigators, sensitive data recovery teams, public relation professionals, and fraud mitigation experts. Integrating these people into a cyber crisis team and ERM process as a whole will greatly mitigate the risks.

Critical Success Factors
The authors discuss seven factors that are critical if a company wants to be fully prepared for a cyber crisis and the congressional issues that will arise with it. They are:

• A company’s communications strategy must be fully prepared. This means the company must plan ahead for what it will say when a crisis occurs so that it can control the published information and be decisive about what is put in the media.
• A single person needs to be assigned to write down the exact decision-making process the company goes through so that a detailed report can be made for internal and external purposes.
• Customers should only be notified when the company has all the information – changing the story makes the company seem ill-prepared.
• Activate the response program immediately.
• Once the response program is initiated, a specific team should be created to tackle this specific event.
• Hire outside experts, such as legal counsel, cyber incident response teams, and crisis managers to help mitigate the problem.
• Establish the point of contact for all internal and external parties.

Download the full report.