How To Handle A Cyber Crisis

An unnamed Canadian Bank didn’t know how to publicly manage a cyber crisis and called in the experts. Here is their advice.

Head of  Toronto-based crisis management consulting firm, Allan Bonner was brought in some time ago to help an anonymous financial institution because the press wasn’t buying the company spokesperson’s answer to repeated questions on what had gone wrong.

The bank would only say something along the line of, ‘We are dedicated to customer satisfaction. In order to improve our customer relationships, we regularly improve our computer operations,’ Bonner recalled in an interview. He sat with a vice-president trying to get the real answer on this for several hours who said he was told by his staff the same thing. Bonner told the exec, “You should have the authority to find out what happened. Get one of your IT people on the line and ask.”

However, IT repeated the same explanation. Finally, one of Bonner’s researchers spoke to the IT leader and got the full answer: A technician tweaked a computer program, but a few hours later another person thought the change was wrong, reversed the tweak and, as Bonner puts it, “the computer’s head exploded” because there were two adjustments so close together.

The lesson: “In a crisis, cyber or not, the people reporting to you will keep you in the dark, as opposed to coming clean if there’s going to be some pain,” Bonner said.

Hard for the C-suite to believe, but some, maybe all, people in the organisation think the less management knows the better. And they think, sometimes on the advice of consultants, the less the company says during a crisis the better. Not so, Bonner believes.

First, “a mission vision statement (‘We try to serve customers well’) isn’t why you have a crisis,” he said, so repeating it isn’t convincing. As for being afraid of saying something that might admit liability, Bonner says a carefully-worded statement will avoid that: “We’re sorry this happened, We’re trying to get to the bottom of it.” Instead, some companies think total denial is a valid response. He recalled making a presentation on the necessity of clear communications to an Alberta firm. 

At one point a lawyer said he told a customer whose plant had burned down to say nothing publicly about the incident. But how, Bonner wondered, could the loss be hidden? Employees would know. Customers would know. Suppliers would know.
Just as important, if the crisis is a cyber breach criminals could quickly exploit personal information. Customers need to be warned fast, if only to avoid costly class action lawsuits.

It’s “silly advice” to say nothing publicly, he said. On the other hand, an organisation shouldn’t be too communicative. And most importantly, it shouldn’t lay blame.

So yes, chose your words carefully. “Crisis management is game of inches,” Bonner likes to say. A former CBC broadcaster, Bonner moved into media training for management in 1988 and then crisis management. More recently he’s been looking into how unprepared organisations are to face a crisis, cyber or other. He the author of, An Ounce of Prevention (2010), a book on how to navigate through damage control and crisis response.

His next book, which will hopefully be published later this year, is on how cities should plan for emergencies stemming from cyber security incidents. “It is absolutely shocking what is both in and omitted” from many municipal emergency plans, he said, including how to deal with cyber-related incidents (everything from a deliberate attack to solar flares knocking out electric systems).

Biggest mistakes
The biggest mistake management makes in a crisis is “hoping nobody’s going to find out,” Bonner said. However “studies are clear: those who take fast action” fare better. 

When a crisis breaks don’t wait to react: Start assembling the data, people and resources you need immediately. If you find you don’t need them nine hours later, he said, no harm has been done.

The second biggest mistake is issuing overly optimistic reports to the public: ‘We’ll have this will be fixed in two days,’ or ‘We know the problem.’

The third mistake is focusing on the immediate problems of the crisis and forgetting the organization will have to deal with ongoing effects such as publicity, legislation, regulation, inquiries and court cases.

Allan Bonner’s 12 principles of crisis management:

1. In all cases, the first order of business is to determine the facts: What is the cause of the crisis and what will be the public perceptions? Many events are surrogates for other issues. Most events morph and have new meanings over a short period of time.
2. How will the issue be framed?
3. Who will frame the issue, regulators, legislators, customers, shareholders, other stakeholders.?
4. What will this morph into in the days or weeks ahead? One may handle the event well, but not the inquiry or testimony at legislatures or eventual court cases.
5. Inquiries go up and back. This means as high up the chain of command as possible and as far back as possible.
6. One must act fast but be sure of actions and information.
7. One must apologise but not admit liability.
8. If liability is completely obvious one will look foolish talking around it.
9. Don’t blame anybody for anything.
10. Don’t try to sell product or enhance reputation from the incident.
11. The court case may go on for years, long after the event is forgotten.
12. Your staff may keep details from you to avoid confrontation or recrimination.

IT World Canada

You Might Also Read: 

What Should You Do If Your Business Is Hacked? (£):

PR & Press After An Attack (£):

Cybersecurity Is Just A Lot Of Trouble For The General Public:

 

 

« Twitter Reveals True Extent Of Russian US Election Posts
The CIA Discovers It Has A Mole »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Riverbed Technology

Riverbed Technology

The Riverbed Network and Application Performance Platform enables organizations to visualize, optimize, accelerate and remediate the performance of any network for any application.

enSilo

enSilo

enSilo secures customers data on premise or in the cloud. Regardless of the where the threat comes from, enSilo can protect your data.

ESTsoft

ESTsoft

ESTsoft Securedisk is an enterprise-wide file security solution that stores and manages all data in a central file server.

OneWelcome

OneWelcome

Onegini and iWelcome have merged to become OneWelcome, the largest European Identity Access Management Saas Vendor.

Precise Biometrics

Precise Biometrics

Precise Biometrics develop and sell fingerprint software for convenient and secure authentication of people’s identity in mobile devices, smart cards and other products with fingerprint sensors.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Cyber Security Raad (CSR) - Netherlands

Cyber Security Raad (CSR) - Netherlands

The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government undertaking efforts at strategic level to bolster cyber security in the Netherlands.

Barbara IoT

Barbara IoT

Barbara is an industrial device platform specifically designed for IoT deployments.

National Cybersecurity Student Association (NCSA)

National Cybersecurity Student Association (NCSA)

The National Cybersecurity Student Association is a one-stop-shop to enhance the educational and professional development of cybersecurity students through activities, networking and collaboration.

GoCyber

GoCyber

GoCyber is a new, highly innovative cyber security training app that uses action based learning to significantly improve the online behaviour of all employees in less than a month.

Cingo Solutions

Cingo Solutions

Cingo Solutions is a Managed Detection & Response company providing specialized data security services.

CloudSphere

CloudSphere

CloudSphere’s flagship Cloud Governance Platform enables enterprises and cloud service providers to simplify and optimize cloud migration, management, and governance.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

Stronghold Cyber Security

Stronghold Cyber Security

Stronghold Cyber Security is a consulting company that specializes in NIST 800, the Cybersecurity Framework and the Cybersecurity Maturity Model Certification.

Vaultree

Vaultree

We believe in an encrypted tomorrow. Vaultree technology enables a foundational change in how we communicate with each other: Safely!

DeXpose

DeXpose

DeXpose is a hybrid dark/deep web monitoring and attack surface mapping platform to help you find compromised data or exposed assets related to your organization way before threat actors.