Information is oxygen: an integrated approach to cyber crisis response
Cyber breaches are a real and present danger for companies of all sizes, sectors and specialisms.
The latest research in our Anatomy of a Crisis series tells us that last year, 27% of companies suffered breaches. Of those, 27% lost revenue, 26% lost customers, 18% lost staff and 17% incurred fines from regulators. Cyber incidents are now a matter of when, not if, for most businesses.
For management teams tasked with preparing their companies to respond to this threat, our view is that one central idea should guide the approach:
In any cyber crisis response, information is your oxygen.
Without high quality information, moving efficiently through clear airways, your response can’t breathe.
This simple viewpoint should help set priorities, inform structures, and most importantly, lead to a high degree of integration across teams.
To manage a breach successfully you need to know the kinds of information your business holds. You also need to know where it’s located, who has access to it, what might have been lost when something’s been stolen, and how any attack might have occurred. This process of gathering and understanding represents the act of breathing in.
But breathing is a two-part process. It’s all very well taking oxygen on board, but if you can’t breathe out, redeploying it effectively to areas of need, what’s the point? It’s all one system designed to take you where you need to go.
And that’s no different in responding to a cyber incident.
Your oxygen – high quality, fast and accurate information – serves a range of elements in your response that need to work together to be effective. Breathe in as much as you like, but artificial barriers within or between teams have the effect of restricting your out-breath, blocking vital pathways and hampering the flow information needed to fuel successful activity.
You can’t communicate robustly unless the communicators understand the technical interventions steadying the ship. You can’t make the right technical interventions without staff knowing what’s being asked of them. You can’t reap the benefits of your actions without deploying credible information to reassure customers, talk to regulators and engage with the media. Different activities, same fuel, same integrated system.
Our latest research, looking at how companies coped across 300 cyber incidents over the past ten years, illustrates the point.
Inside jobs, media interest and public statements
Firstly, technical teams need to know what’s happening within as well as outside organisations. In our study, almost a third of the incidents we reviewed originated from the inside. In 96 cases, more awareness, more training, better internal communications and reinforced connectivity between technical and people-focused teams might have helped avert a crisis.
Secondly, proportional communications strategies need always to be informed by facts on the ground. Our research showed that media responses depend on the size and nature of an incident, with breaches exposing fewer than 10 million data points receiving half the press coverage of breaches crossing this threshold.
And lastly, our first Anatomy of a Crisis study taught us that organisations responding quickly to incidents with public statements received significantly higher recognition and acceptance of those responses than those who didn’t. As part of our latest study we reviewed the public statements issued companies in response to their incidents. Again, the very best of these combined speed (issued on the day of the incident first becoming known) and detail (breach facts, remedial actions, directions for customers, and, in 26% of cases, apologies). This blend, in our view the right approach to reassuring stakeholders and gaining control of the crisis narrative, is only achievable with considerable cross-functional collaboration: the whole organisation breathing as one.
Settling on an integrated response
Our Anatomy of a Crisis research always sets out to learn the lessons of past events to help inform best practice in the future. In this case, our ultimate finding is that there is no successful cyber incident response other than an integrated one.
The diversity of the threat and the range of potential impacts means cyber security can’t just be an issue for the CISO’s office. It’s also problem for HR, Legal, Communications, Public Affairs and more. Colleagues need to understand each other, train together, and rehearse as a unit. Crisis teams should use cross-functional tech-ins and educational workshops to help increase awareness and foster better relationships. Response plans need to account for implications across the whole range of business areas, ensuring practitioners within each have high-quality information at their fingertips and can respond effectively when called upon.
You can receive an exclusive copy of our latest Anatomy of a Crisis report by emailing me at [email protected]