16 April 2021
This is very difficult to determine. As a general rule, the crisis is considered to be over when the exceptional organizational measures put in place to deal with it are stopped. The company affected by a cyber-attack thus returns to normal operations. The members of the crisis management units are demobilized and post-crisis follow-up is integrated into daily activities.
The most important thing is to carry out a post-mortem analysis of how the crisis was handled. It is advisable to record everything, to write down precisely what happened, what actions were taken, by whom, and when. This documentation becomes a kind of black box and allows a cold analysis of what was done well while identifying the bad decisions. The idea is obviously to improve.
Communicating after a cyber crisis can be tricky because the impacts on image and business are real. Nevertheless, we find that silence rarely remains a good idea. As soon as the information is public, the company is assailed by questions from the media and messages on social networks. It is essential to regularly updated communication across all media. Also, internal communication helps to raise awareness among employees and partners about good cybersecurity practices. It is an opportunity to gain maturity in IT security issues.
One of the most common mistakes we observe is not following the defined remediation action plan correctly or only partially because the company thinks that the crisis is over too soon. This leads to not fully correcting an identified latent risk. Similarly, companies tend not to test crisis management systems. We recommend conducting a crisis exercise at least once a year. This is the frequency imposed by regulation on banking sector organizations. Finally, crisis documentation often needs to be reworked. Sometimes it exists but is unreadable, weighed down by technical jargon and impractical formats such as fifty or even seventy-page documents. It is important to keep in mind that crisis files will be used especially in case of a new attack: short, simple, and clear formats are therefore to be preferred.
It all depends on the extent of the crisis. Sometimes, some companies don’t recover… especially smaller ones. More mature companies suffer dozens of attacks every day. Cybersecurity is integrated into their processes; they are prepared and trained. That’s the key: the more a company has prepared upstream, the less difficult it will be to manage the impact of the crisis. Guillaume Poupard, ANSSI’s CEO[1] often repeats that there are two types of companies: those that have been hacked and those that will be in the future. We can add a third category: companies that have already been attacked that will be targeted again. Cyber-crises are part of everyday life: we can never repeat it enough, we must learn the right gestures to react at the best moment of the attack.
Companies with B2B customers have the opportunity to provide them with documentation proving that remediation and security actions have been implemented. They can also carry out audits, performed by neutral organizations outside the company. It is also advisable to set up a monitoring committee, which will be responsible for communicating with customers about what is being done daily. For companies with a B2C target, it is a little more complex. We advise to communicate about the cyberattack, to be transparent, to show via social networks or media that actions have been implemented, to transmit the conclusions of security audits… Adopting a humble and learning stance, using the crisis as a starting point to become irreproachable in terms of cybersecurity can be relevant.
I would advise them to be accompanied. Participating in working groups and conferences allows you to meet your peers and build a strong network. One must keep in mind that all companies are or will be targeted. A competitor is above all someone who is in the same situation as you are.
Notes
[1]French National Security Agency