You need a “HOT” group to manage a cyber-security breach. That doesn’t mean they need to be dressed well or good-looking. HOT stands for Hour One Team. Our work in this area began long before widespread fears of cyber-attacks. It began in the resource sector in which an incident might be in the Arctic, miles underground in a mine, or in the proverbial middle of nowhere.
Events in unpredictable locations had unpredictable outcomes. First responders have told stories of police officers roughing up journalists trying to cover a petro-chemical spill, and other police officers saying an event was just a drill when it was a real emergency. They were well-meaning, but the company had to clean up both the petro-chemicals and the bad relations with stakeholders on arrival.
The remedy was to train first responders as rudimentary spokespeople, because that would be the reality. The truck driver, the responder with absorbent material, the fire-fighter and others were first on the scene and would be asked about what’s going on. They couldn’t look or act guilty or pretend they didn’t hear the simple question. They also couldn’t be overall spokespeople for the company, but couldn’t pretend what they were doing was a secret. Training and messaging involved sticking to the technical knitting—how to deploy boom (floating fences to contain oil), what skimmers that pick up oil are, the physical properties of oil and chemicals, response gear and so on. These rudimentary spokespeople did not talk about the price of gas, executives’ salaries, or anything else they had no business speaking about. But their simple explanations filled the first few newscasts with facts to make the critical content shorter and more factual. They could also satisfy politicians, regulators, neighbours, and other stakeholders for a short period of time. Then out came the PR people and senior executives with more detailed messages and more content.
To bring this method up to date, your cyber incident can happen anywhere in your system. It can happen within a supplier’s system in the supply chain. The attack can manifest itself instantly or lay dormant for a few years and then the payload can deliver damage, shut down your system, spread rumours, or do anything else a hacker, terrorist, enemy, or deranged person can think up. The attack can originate anywhere in the world.
Spokespeople will be cashiers, whoever answers the phone, the guard at the gate, any one of your employees on social media, or just about anyone who will speak or can be reached. Third party commentators will include competitors, those in your supply chain, and politicians out to solve the problem in favour of customers.
What a mess.
Your response team won’t have an hour. It will have minutes. In fact, it should really have a time machine to start a few years ago in order to catch up. More realistically, now is the time to inform frontline workers on what to say in an event—the rudimentary spokespeople. Now is the time to codify messages for spokespeople and get an understanding of the characteristics of your system and supply chain. Now is the time to work with stakeholders and generate 3rd party advocacy in times of crisis.
Now is the time for a lot of things—legal advice, insurance, and the so-called due diligence defence. Due diligence means doing all that the reasonable person would do to prepare and reduce damage. This means thinking now about how much technical information to release when the time comes. No one will need to know how to build a cyber security system in the early hours of your crisis, but they will need to know that you know, or your suppliers know.
Any crisis can disable your office. A cyber event certainly can. So now is the time to decide where you are going to go to set up computers, phones, and other gear to manage the event. Crimes feature crime scenes and crime scenes contain evidence. It’s important that in everybody’s zeal to get back to normal, they don’t ignore preserving evidence that can lead to an arrest or conviction. It’s great to get back to normal, but what if it were an inside job, only to be repeated next week? You may have a legal obligation to notify affected parties and in certain ways. Now is the time to check.
All crises can feature a hit to reputation. Now is the time to enhance that asset and determine ways to preserve it during a crisis. Now is also the time to consider the help you may have to give to those whose data you made public. In some jurisdictions, fines are up to $100,000. Damage can include bodily harm, but also humiliation, reputational damage, and a range of other harm.
After forming your HOT team, give them a fighting chance to succeed. As in the military, use war games, simulations, training, drills, and stockpile the ammunition you’ll need.
From Cyber City Safe: Emergency Planning Beyond the Maginot Line, available here.