By: Nicolas Castellon
We are now witnessing the beginning of the digital age. In the last couple of years, we have witnessed a hyper-digitization of society as the number of users online has risen to nearly 3.5 billion from 1.2 billion just ten years ago. Beyond people having a presence online, our devices are also increasing becoming connected, as there are currently 6.4 billion connected devices and estimates show that there will be around 20 billion by 2020. These numbers show promise of increased innovation, productivity and connectivity in ways we have not yet discovered. Our critical infrastructures will become “smarter” and will increase in efficiency providing more sustainable output. This interconnectivity, however, comes with risks. The reliance of organizations on the digital domain means that new risks are on the horizon, and companies, universities, and the government might not be prepared to face them.
These risks are currently seen as access breaches, ransomware, and malware that infect devices within our organizations. These risks lead to data breaches, extra spending, loss of intellectual property and espionage. Knowing how to avoid these dangers can make or break an organization’s reputation in the digital age. Well-prepared organizations should have proprietary or outsourced digital fences in the form of firewalls, Intrusion Detection Systems, and Security Operating Centers to name a few security measures. With these defense layers in place, organizations tend to forget the human factor, the management of the crisis.
When an organization is struck by a cyber-attack that affects business beyond a tolerable threshold, a designated team is usually appointed to handle the situation. If in place, this crisis team has the ability to contain the issue, frame the incident towards stakeholders, and -most importantly- learn from the incident. Though not all forms of cyber-attack are worthy of activating a crisis team, some are. Companies operating critical processes for their own business or for their clients -such as a large data center provider - will require restoring operations within a tolerable time before financial losses are felt or contract obligations are broken. Handling the crisis appropriately can prevent poor financial projects for the next quarter and reputational costs for the company.
Most organizations should have in place contingencies to assist the crisis team in handling the incident. These documents are normally found in the form of Business Continuity Plans and Disaster Recovery Plans. Thorough crisis management, however, goes beyond the following of prescribed procedures. Crisis Management in the digital era means that a lot more is at stake and that we have less time to handle it. It is important to highlight two major overseen factors of crisis management: crisis communication, and stress coping.
Crisis communication is just as important as incident handling. Crisis communication is the conveying of messages to stakeholders to frame the incident in a contained manner. In this way, the organization facing the crisis “owns” the story portrayed by the outside world. With the massive growth of social media, crisis teams can also expect unflattering coverage if the crisis is perceived outside of the meeting room by consumers. We can imagine this to be most true in the case of telco providers, online banking and payment systems, public transport and the energy grid. Diving into the example of Telcos, a loss in the network will be felt almost immediately by users and thus might gather unwanted media attention. In this case, effective crisis communication would mean that the users and the media outlets are presented with an organizational method acknowledging the disruption, commentary if possible, and a generous estimate of when the problem should be resolved. Effective crisis communication is a continuous dialogue meant to put the stakeholders at ease. The message should be clear, concise and should not make promises that cannot be met.
Stress coping is easily the most overlooked aspect of effective crisis management. The crisis team consists of a team of people from different branches or teams of an organization, depending on the organization’s size. These teams have the habit of changing given the rotation of staff, and the members of the team have mostly never experienced a major incident. The stress suffered during a major incident has a different effect on the team member depending on their personality and resistance. Everyone in this team, however, should know how to work under pressure and stress. It is important for the crisis team to turn the stressful incident into an increase of awareness and perception that will lead to clearer thinking and thoroughly thought out decision making. Familiarity with a major incident leads the team members to build better-coping mechanisms, as enough familiarity with major incidents will grow their tolerance.
Organizations can easily overcome these thresholds with education. Crisis teams can be trained to follow contingencies more accurately and efficiently; they can be trained to communicate effectively and deal with the stress of the major incident. Organizations should train their crisis team members and should run periodic simulations. Simulations of major incidents will engrain the crisis team with a hands-on experience that dry-runs will not be able to deliver. For these reasons, it is recommended to experience the stress generated during a major incident and operate within the same time-windows as a real incident.
Though crisis management is not the first line of defense against cyber-attacks that may lead to great financial loss or reputational costs for an organization, it should be perceived as the organized execution of a company’s effort to contain the incident. With the rise of digital technologies over the last 20 years and their exponential growth over the next years, more organizations will experience a crisis where digital systems will impact their daily business. Crisis management does not prevent organizations from cyber-attacks, but it does ensure that the organization survives them.
Nicolas is a Cyber Security Specialist at CGI Group in Rotterdam, the Netherlands. He is currently working in the Space, Defense and Intelligence sector on Cyber Security Governance and Crisis Management Consulting. He holds and MSc (cum laude) from Leiden University in Crisis and Security Management.
Image credit: http://www.lexantronix.com/?p=33
Nicolas Castellon
Nicolas is a Cyber Security Specialist at CGI Group in Rotterdam, the Netherlands. He is currently working in the Space, Defense and Intelligence sector on Cyber Security Governance and Crisis Management Consulting. He holds and MSc (cum laude) from Leiden University in Crisis and Security Management.