Our society gets increasingly vulnerable to major cyber disruptions, which could significantly impact digital and physical supply chains, operations and our environment. That is why governments and companies must prepare for cyber crises. In this article, I provide 5 good practices based on scientific evidence and practical experience.
1. Don’t let the CEO chair the cyber crisis management team
There are five core cyber crisis management tasks for executives: sense-making (i.e. understanding what is going on); meaning-making (i.e. reducing uncertainty and providing an authoritative account of what is going on, why it is happening, and what needs to be done); decision-making (i.e. taking decisions under uncertainty and time pressure with high stakes involved); terminating (i.e. shifting back from emergency to routine and rendering an account for what has happened); and learning (i.e. drawing organizational lessons).
Research has suggested that the meaning making role of executives is much more important than their crisis management decision-making role. Being visible as an executive during the crisis, both internally and externally, and relying on proven frames and well-understood crisis rituals, is suggested to be much more important for the public’s perception of the leadership than the actual decisions that have been made.
If the CEO is put in a position in which he or she needs to chair the cyber crisis management team, there is a risk that he or she becomes too much concerned with the incident instead of driving processes of meaning making.
Of course, the cyber crisis management team should regularly update the CEO. The CEO could also be involved in high impact decisions (e.g. the decision whether or not to pay a ransom). But the CEO must be kept away from the cyber crisis management team as much as possible so that he or she can do what he has to do: engage in meaning making processes.
2. Invest in understanding the needs and expectations of stakeholders following a data breach
An analysis of several scientific studies has shown that meeting stakeholders’ expectations will lead to the highest level of satisfaction which is necessary to regain their trust in the organization in case of a data breach. Therefore, cyber crisis management teams should invest in understanding the needs and expectations of those impacted by the breach to identify the best response strategy (e.g. finding the right interplay between a remorse and compensation strategy).
3. Discuss and settle typical cyber crisis dilemma’s in advance
There is a saying: “Luck is what happens when preparation meets opportunity”. As anticipation is a key element of cyber resilient organizations, it is imperative to discuss and settle typical cyber crisis dilemma’s in the preparatory phase. Just one example: the dilemma whether or not to pay the ransom after a ransomware attack should be discussed with the executive leadership team up front. The outcome of this discussion can be used to design a ransom payment policy that outlines if and under what conditions ransom is paid. Another dilemma that needs to be settled is: to what extent is frontline personnel allowed to take emergency measures in the event of a sudden potential cyber-attack, even if these measures could have a major customer impact.
4. Train your cyber crisis management capability before you start exercising
In my consultancy practice I come across many clients who organize cyber crisis management exercises without operational, tactical and strategic teams being trained for their roles and responsibilities during a cyber crisis. If you start exercising without proper training, then you know what you could expect: cyber crisis management team members are unaware of their roles and responsibilities as well as the agreements laid down in incident and crisis management plans. This is a waste of the limited time and resources available to improve the cyber crisis management organization. An exercise should therefore always be preceded by an executive training program.
5. Exercise incident management, crisis management and IT recovery together
Another observation from practice is that many organizations choose to exercise their incident management, crisis management and IT recovery capability separately. However, during a cyber crisis, effective cooperation between these capabilities is key. Therefore it is recommended to organize integrated exercises in which incident management, crisis management and IT recovery teams exercise together and learn to align their way of working and meet expectations.