Just as things started to cool off around the WannaCry attack and businesses started to operate normally again, IT professionals were thrown back into disarray with the NotPetya malware attack.
NotPetya was responsible for knocking companies like Maersk, AP Moller-Maersm, Reckitt Benckiser, Fed Ex, and WPP into critical damage control mode. For the organisations that were lucky enough to avoid falling victim to these attacks, it is a moment to quickly breathe a sigh of relief and ask yourself, “Are you as prepared as you can be for the next WannaCry or NotPetya attack that will inevitably take place in the near future?”
Having an up-to-date security program, a detailed process to manage any vulnerabilities, and a completed incidence response plan, are all necessary and acceptable ways to build up confidence in a cyber security plan. Perhaps even the CEO and board of directors have been briefed on the current major ransomware risks that are flooding the market.
It is important to remember, being prepared is one thing, but how an IT professional actually handles themselves while in the middle of a cyber security crisis is completely different. It is safe to assume that cyber security professionals cannot be fully prepared for an attack, unless they have already dealt with managing emotions in the middle of a serious crisis.
By working on boosting cross-functional communication prior to being under the pressure of a breach, IT teams can be that much closer to keeping their cool while everything around them seems to be going up in flames.
Handling a high level breach like NotPetya, can be very chaotic and seem like a blur to even the best cyber security professional. Even the best prepared incident response plans can run off track when emotions come in to play, causing people to deviate from the initial plan.
Often stakeholders outside the immediate circle who are needing to deflect cyber threats, can cause more damage. They try to take control of a situation outside of their corporate jurisdiction and oppose important operational down time. These quick actions and assumptions can result in public misstatement.
Remaining level headed during early stages of a cyber-attack is far easier said than done. Here are five quick tips for boosting cross-functional business communication prior to an attack so you can keep your cool when everyone around you has lost theirs.
1. Define Your Stakeholders
On a normal day you might have a great relationship built up with your supervisor and the people you directly report with. However, when a security breach is on the cards, the company is depending on you. Security leaders become risk professionals and your job is simply not just a security program manager.
You will be in a much better position if you build a strong relationship across the board with compliance, legal, operational risk and line functions now, rather than when everything is hitting the fan. It would probably be worth your time to touch base with marketing, HR, finance and procurement as well. Transparency can be a huge asset down the line in times of crisis. The last thing you will want during a crisis is a bunch of people you do not know, bombarding you while you are under the pump.
2. Level Set with Each Stakeholder
When preparing for how to handle stakeholders, before landing in a breach situation it could be beneficial to ask, “What are the top three questions you’ll want to ask in the heat of a crisis?”
This helps in determining the stakeholders’ priorities and can manage them effectively.
3. Be Honest
There is no doubt, eventually there will be some bad news to share during a cyber breach. Hence, honesty and transparency throughout the entire process is critical to maintaining trust with stakeholders.
Another way to avoid unnecessary issues is to proactively prepare each of those stakeholders for what may happen in the speed and chaos of response, even if they seem far removed from your day to day security operation.
4. Syntax Rules If You Want to Get Buy-In
When communicating about cyber prevention, awareness and hygiene, try to position policies and processes in a way that is “against the bad guy” as opposed to one that shows distrust in employees. The latter may raise privacy concerns amongst employees or make them feel as if they’re not trusted. Instead of instilling worry, encourage employees to follow guidelines in order to prevent a major attack.
5. Be a straight-shooter
Be upfront with your third-party responder about what the real objective is.
The objective is the most important piece of information you can relate to the third party responder. Some companies will have an objective of getting back up and running as soon as possible, another will want their customers put first. Depending on the end objective third party vendors will tackle the incident differently.
In the end, it is important to not let what you know get mixed up with what you think. Don’t doubt yourself and when managing the emotional response to a breach, separate the facts and what you think. Define both and steer clear from acting on the latter. Once the facts are secured then it’s time to make choices about which of the alternative possibilities to select and how you’ll act on it.
Hopefully these tips will never have to be used, but as cyber security season is well and truly amongst us. These should help you weather the storm.
Jon Ramsey is chief technology officer at SecureWorks.