Cybercrisis management: Are you ready to respond?

In an increasingly interconnected world, it’s more important than ever to ensure your organization is prepared to deal with a cybercrisis. These best practices will help you manage a threatening event.

Tags: Data breach, Fraud protection, Cybersecurity
Published: August 22, 2018

When an adverse event occurs, it’s easy to let emotion take control. Failing to make timely decisions can turn a bad situation worse, but acting on impulse can be just as risky.

Given the high stakes involved, how can you prepare your leaders to operate quickly and prudently when the pressure’s on? What tools can you put in place to help them make smart decisions with limited information? By establishing the proper plans and relationships in advance, you can position your organization to handle a cybercrisis event with control, efficiency and accuracy.

 

Preparing for a crisis

According to Robb Mattila, director of crisis management at U.S. Bank, preparing for cybercrisis is a constant cycle that involves planning, training, exercising and learning.

  • Planning: The first step in crisis management is to create a documented plan. These internal procedures provide guidelines and outline measures for employees to take in the event of a cybersituation. A plan also specifies what type of events raise red flags. “While you can’t plan for every possible scenario, you can provide guidelines that indicate when an individual should escalate an event,” says Mattila.
  • Training: The next step in preparing for a crisis is training your staff. Make sure employees at all levels understand the procedures and keep things simple.
  • Exercising: Practicing your plans will improve your level of preparedness as an organization and increase collaboration among employees. Ask your clients to join your exercises as well. They can participate in a Q&A-type format. Outside consultants can also be hired to establish a scenario and help walk you through the processes. 
  • Learning: After each exercise, discuss opportunities for process improvement both internally and with clients. “Every single time I’ve participated in an exercise, new questions come up,” says Steve Krueger, information security officer and director of technology at U.S. Bancorp Fund Services. “As we address these questions, our organization becomes that much more prepared.”
     

Consistent messaging to all audiences is important when it comes to a crisis.

 

Communicating during a crisis

Having a communications plan is a critical part of cybercrisis management and preparedness. Follow these tips to help you communicate effectively to key stakeholders and the media in the event of a cybercrisis.

 

Have prepared scripts

In a cyberevent, people like to hear from you quickly. While you’ll never be able to identify every single situation that could happen, you can create templates for the top four or five most likely scenarios. This gives you a starting point that can be customized specific to the event that occurs.

“We know in the absence of any communication, people start to come up with their own stories of what happened,” says Cheryl Leamon, corporate issues management and communications lead at U.S. Bank. “It’s important to acknowledge awareness of the situation and that an organization is addressing it.”

 

Don’t release information without knowing the facts

Organizations can get themselves into trouble when they try to communicate too many specifics early on. It’s important to ask yourself:

  • How sure are we?
  • How much information should we give?
  • When do we give it?
  • To whom do we give it?

“If incorrect information is communicated and you have to retract things you said, you lose the trust of your employees and your customers,” says Leamon.

Finding the right balance between under and over communicating can be challenging. A good practice is to include phrases such as: “at this time” and “what we know now.” This implies that information is always evolving and subject to change.

 

Be consistent with your message

Customer service is crucial to any crisis situation, especially in the event that someone else’s data may be at risk.

“Consistent messaging to all audiences is important when it comes to a crisis,” says Leamon. “Customers, elected officials and media all need to be hearing the same information, otherwise it will cause confusion and make an already tense situation more stressful.”

As a senior leader in your organization, be prepared to make phone calls directly to your clients. Using the established script and adding the details you know about the specific situation will prepare you for this conversation.

 

Establishing external partnerships

Maintaining relationships with local law enforcement is an important part of crisis management. These individuals can advise you on the current threat landscape and will be beneficial to your organization should you need to reach out.

Many organizations also maintain contracts with independent third parties that will provide cyberforensic assistance in the event of a crisis.

In terms of contacting these outside parties in a cyberevent, it’s important to determine who communicates with whom so there’s no overlap or omission.

 

Beyond cybercrisis

Once you’ve determined and implemented the steps to your cybercrisis plan, think about other crisis areas that may need to be addressed. Many of the principles practiced in a cybersituation apply to events such as natural disasters or terrorist attacks. Additionally, learn from the shortcomings or successes of other organizations to continuously develop your procedures. With an established crisis plan routinely practiced and improved upon, you can be well prepared to defend yourself and your clients against a threatening event.

 

Continue to evaluate your cybercrisis practices and determine if you need to create or revise your process. While the tasks we outlined may seem daunting, the benefits of being prepared will far outweigh the challenges you may face if you ever experience a cybercrisis.

 

Learn more about Cybersecurity: Protecting client data through industry best practices.

 

 U.S. Bank does not guarantee the products, services, or performance of its affiliates and third-party providers.