Advice On Developing a Cyber Crisis Management Plan

The Identity Theft Resource Center has been tracking disclosures of data breaches reporting on it regularly . In their latest publication, of 2018, the center mentions, "The variety of industries and types of businesses impacted by breaches in 2018 opened the eyes of many consumers to the fact that breaches have become - the new normal."

It’s not so much a matter of “if” a breach will happen, but “when” a breach will happen. - Identity Theft Resource Center

The report outlines that data breaches have now become industry neutral, and whether you like it or not, breaches have hit not just financial services, governments and social media, but medical/healthcare, education and other business sectors as well.

The most notable compromised social media platform in 2018 was Facebook. Impacted by multiple incidents, including the Cambridge Analytica data misuse, one significant breach was caused by a vulnerability in coding that allowed hackers to access “tokens” for 50 million accounts. - Identity Theft Resource Center

To quote a few of the crises: (Source)

1. Google+ was breached twice impacting 53 million users. A security bug allowed third-party developers to access public user profile data since 2015.
2. Hospitality company Marriott International had the highest number of reported records exposed in 2018, impacting 383 million people worldwide.
3. In 2018, 19 local government agencies publically disclosed that they were impacted by breaches to a third-party payment platform software called Click2Gov. Another breach of payment platform, GovPayNow. com, impacted 2,300 government agencies in 35 states.

Managing A Cyber Crisis

For most Security Teams incidents are a common thing, crises like the ones described are a, not-so-frequent, defining moments in their careers. Managing crisis situations is not an easy task. It requires an organization wide effort that is well integrated, concerted and coordinated.

It's never been more important for business leaders to understand the nature of the threats they face and the level of risk they accept. - PwC

While, most organizations have controls to manage incidents, very few are prepared to deal with crisis like situations and have a well thought out plan in place.

Companies that suffer from cyber security breaches or cyber vulnerabilities increasingly face claims of failing to implement adequate cyber security measures, deceiving others around the extent of their data security measures, or inadequately notifying the individuals whose personal information may have been at risk. - Fireye

With increasing regulatory and reputational pressure and due to the impacts of cyber breaches, it is increasingly important to prepare your organization to manage a cyber crisis situation by putting a cyber crisis management plan in place.

Components of a Cyber Crisis Management Plan (CCMP)

Each organization, and the context within which it operates, is unique and there is no silver bullet or magic wand that will help you document a CCMP. Developing a CCMP is not a single person's job, on the contrary, is a collaborative effort across the organization for developing a blue print that you can use in a crisis.

There is however a baseline that each one of us can utilize to develop a future ready CCMP. In this section I outline the most key components.

1. Context - This is an opening section and should outline a little about the organization, the context within which it operates - Economic, Political, Social, Legal, Environmental, etc. Also add an outline of the mission, vision and values of the organization.
2. Objectives - This section, should outline what are the objective of CCMP. This is a good section to document key expectations and views, from management and investors alike.
3. Scope - This section outlines, the scope of the document. Scope could mean various in-scope locations, systems, business processes, etc.
4. Definition of Crisis - Careful define, what actually means a crisis situation and what it will look like, in the context of your organization. These could be a combination of high level statements/scenarios, but more importantly captures a potential cyber-crisis situation. This is definitely one of the most debatable section of the document, so be mindful.
5. Crisis Management - This section is the core - this is where you will outline, what you actually do in a cyber crisis situation. Some of the key elements here include - a) How do you identify a crisis? b) How do you report a crisis? c)What information do you collect? d) Who declares a crisis? e) When do you declare a crisis? f) Where do you go, to secure resources that you need to manage a crisis? etc.
6. In this section, you will also outline a high level process flow, that will help you quickly Identify, Contain, Respond and Recover in a crisis situation. This process flow will essentially include, details of all the key participants involved and their roles and responsibilities in a crisis situation.
7. Crisis Mitigation, Response and Recovery - This section will outline, listing out potential crises scenarios and referencing it to your incident management and other procedures.
8. Communication Plan - The single most important thing in a crisis situation is communication. Communication - both Internal and External is the key to successful navigation through a crisis situation. This would involve outlining, key elements of communication such as - source, destination, frequency, medium, process of review, roles and responsibilities.
9. Testing - The more we sweat in peace, the less we bleed in war - the saying is equally apt in the Cyber world. One should test a plan and test it as frequently as possible, with involvement of all stakeholders. Learn from the results and improve upon it periodically. This will ensure that you don't begin to identify an exit when the fire breaks.
10. Reporting - Any crisis situation, teaches a lot, not just to the organization, but also to everybody involved in managing it. There could be lessons for each one, to document and act upon. A detailed reporting of the crisis is what will help everyone in the long run to go back and refer what went wrong. Plus, some of the reports are also to be shared with your regulators, customers, members of the public at large and other stakeholders. A single version view is what helps in communicating the story consistently. So, have a format decided and identify the points where you will need to capture the data, evidences, logs etc. Having formats ready, as requested by regulators and government agencies, also help in saving time during a crisis.

A CCMP document is a living document, one that continuously needs to be improved to sharpen and fine-tune it. Organizations that know how to manage a cyber-crisis are always better prepared and positioned to deal with such situations when they occur. Developing a CCMP is a step forward in the right direction.