Overcoming the cyber-attack. Five crisis-management insights for companies who’ve been hacked

Published in

Wonk Bridge

6 min readMay 5, 2018

The screen flickers, it dies. You were in the middle of presenting your latest product to a potential buyer. Your pitch was nice, your slide-deck fantastic. None of this matter anymore. It reboots, with a terrifying message: pay us the ransom or we WILL destroy your data.
You didn’t ask for this. You are not prepared for this. You walk out the door and every laptop or cell-phone in the building was hacked. Employees that were busy working are now wandering about the halls aimlessly. You’ve seen that look before: a deer in the headlights…

TL:DR; 1. Stay consistent in your messaging. 2. Appear competent and appeal to competence. 3. Identify and coordinate with (all) affected stakeholders. 4. Stay true to your values, follow the law, don’t blame a third-party. 5. Give your crisis team the power and authority to get the job done.

If it makes you feel better, you are far from alone. Last year, Steve Morgan (CEO Cybersecurity Ventures) estimated $5 billion in damages were suffered from ransomware only. This includes the infamous WannaCry epidemic which accounted for about $1 billion. No cyber-attack is the same. Even within the same strand of attacks, its path-of-entry and consequences to your company will be unique.

Every company has a unique information system, along with associated vulnerabilities. But one fact is clear, a company’s most valuable asset is its trust relationships with customers and other stakeholders.

This contract of trust comes down to: customers; you use their data + money in exchange for working products/services. Shareholders, they are owners in exchange for want returns. To your employees, they keep the ship moving in exchange for direction. This attack has breached the contract between you and those stakeholders. All these stakeholders will be shocked by the news. They will all have you and your company in the hot-seat.

The attack will certainly test your leadership and resolve. While a dangerous situation, this attack could also be an opportunity for you to prove why this contract exists between you and your stakeholders. In my short time working in crisis management and cybersecurity, I learned about five principles to follow in the wake of a cyber-attack.

Consistency

It is essential to stay on message and avoid contradicting oneself. When a cyber-attack spins your company into chaos, it may be tempting to satisfy every stakeholder expectation. As soon as news of your attack reaches these stakeholders, two of the most important questions they will have are: 1) Who did it? 2) Is our data safe? Rarely will you be certain of the answer to either question. It takes around two weeks on average for forensic teams to attribute attacks with reasonable certainty. Why? Most hackers will try to conceal their identities (hacktivists & glory-hunters as notable exceptions) and the answer often lies with the analysis of the victim’s information system (compromised, at this point). In the same vein, it’s difficult to distinguish between “safe” and “compromised” data in the midst of an attack. After the initial attack vector is activated, it’s difficult to know whether more of the system was compromised, with more attacks waiting to be activated. It is dangerous to tell customers that their data is safe, just based on the initial attack. Keep in mind that median dwell time in 2017 is 101 days, plenty of time to compromise every nook and cranny of your IS (Mandiant, 2018). In every crisis, we observe a crucial relationship between information, time, and demand for information. The graph below builds on a concept I was first exposed to in a lecture by Nik Gowing at my alma mater (King’s College London, 2016).

As time progresses, our knowledge of the attack (and its authors) increases, along with our ability to make informed statements. Yet, the demand for information is at its highest just after an attack. It’s important to fulfil this demand, while remaining consistent. Rather than disclosing too many details of the attack, seek to reassure stakeholders with overt displays of competence.

Competence

Focus on what you can do, seek help for everything else. Overt displays of competence, briefly said, are actions that demonstrate preparation and professionalism. This does not necessarily mean such actions have to be effective. A demonstration that the company is dealing with the situation in the best way possible, is generally sufficient in the early days of the attack. Sometimes this means the victim should work with third-parties to be more effective. Work with CERTs and cyber-security firms for advice and forensics assistance. Government authorities (including the Police) can be extremely useful to heighten the stakes and show how seriously the company considers the attack.

For example, in the UK, a joint press-conference with the NCA (National Crime Agency) can securitise the issue. This would be an appropriate response to a particularly severe attack on critical national infrastructures (energy grid, communications, emergency services).

Coordination

Located at the epicentre of the attack, your company will be mandated to coordinate stakeholders/partners throughout the crisis-response process. While the “actual” damage of a cyber-attack could be limited to several servers of one company, the consequences of such an attack reach much farther afield. It’s the company’s responsibility to immediately identify which actors are affected by the attack (employees, government, suppliers, customers, etc.) and develop responses for each of these.

In fact, since the 1989 Morris Worm (ancient history) national cybersecurity strategies have based themselves on the coordination of private, public and third-party actors (Healey, 2013).

Cognisance

A fancy word for self-awareness, cognisance should inform every decision a company makes during a crisis. A crisis does not justify breaking the law or actions contrary to your values. In fact, when your stakeholders look back to this event, they will scrutinise whether you deserved the eventual crisis outcome. Does your website say you are “customer-centric”? Is safety and privacy your priority? Time to prove it.

As a law-abiding company, be sure you scrutinise what you can or cannot do. In France, “hack-backs” are illegal. The European NIS Directive requires that you declare cyber-attacks as soon as they are detected.

Never, ever, blame a third-party. The infamous 2007 Mattel toy-recall “went south” because its first reaction was to blame its Chinese supplier. Sure, its supplier didn’t respect quality standards, but Mattel was in charge of managing its supplier and reporting the problem. After May 24th, GDPR will make it very clear where responsibility for leaked personal data will lie. A company doesn’t own its customers’ data (or their trust), it merely uses it in exchange for a product/service. Taking responsibility for the problem displays competence and maturity.

Crisis-Management

The hours (even days) following attack detection will be extremely unusual. The laws of physics are different in a crisis environment. In a normal management setting, a company would seek to maximise revenues, production-capacity and dozens of other industry-specific KPIs. Actions in crisis are more primal, they concern themselves with rebuilding trust à company survival. Time is of essence, and there is simply no time for wasteful discussions on less urgent matters. It is essential to differ to competent actors and give them the power and responsibility to effectively deal with the situation.

A cyber-crisis team, with executive powers and Board-level authority, should be established. These powers enable direct coordination of security, legal and communications departments. They also provide the team with sole authority on disclosing details of the attack to external actors (government, media, suppliers and other employees). A lack of respect for these powers would make crisis-response decisions impotent, and spell failure.