Most organisations and businesses now consider cybercrime to be the greatest risk. The collective intelligence work in this report contributes to the first pillar by providing concrete details to readers so they know how to react to cyber crises. Whilst companies are generally well-equipped with crisis management procedures specific to their activities, cybercrime is a special case due to its speed, its impact and the difficulty of grasping and remedying it.
Ce rapport existe aussi en français.
This report covers how to manage a massive cyber crisis that can have significant consequences for the organisation’s activity, and it can serve as a practical guide to responding to a cyberattack. These consequences can impact a variety of domains, including operations, finance and brand image.
Cyber crisis management is made up of different stages that need to be clearly identified to avoid getting bogged down in the crisis. Initially, the organisation must limit the attack’s impact as best it can to prevent the crisis from spreading. It can then repair and stabilise its information system. Meanwhile, investigations can be conducted to identify the reasons for the attack and ensure that the IT environment is safe once again. In parallel to all this, it is important to consider the legal process from the start of cyberattack since it will last long after the crisis is over.
Two crisis units are established to manage the cyber crisis: the operational unit, which for cyber crises is comprised mainly of members from IT, and the decision-making unit, which ensures the organisation’s business continuity. All stakeholders in how the crisis’s technical and strategic aspects are managed should be identified. The moment when the crisis unit is activated is also key to reacting quickly: this moment is usually set out in the business continuity plan (BCP) and depends largely on the consequences for all the business units that use IT.
Beyond the technical aspects – diagnosing the attack and repairing the IT – communication is important to avoid a crisis within a crisis. A communication process that foregoes the organisation’s IT system needs to be set up to maintain internal communications. Secondly, all stakeholders within the organisation, the ecosystem and potentially the media need to be considered in the messaging.
A cyber crisis often leads to a legal process as well, which requires the IT department to coordinate with the legal department. If there is a personal data leak, the CNIL must be notified immediately. It is also important to notify your cyber insurance company as soon as possible. Evidence of the attack should also be preserved to provide significant proof for the proceedings.
External service providers are often needed to reinforce in-house teams so they can benefit from expertise that is lacking internally. ANSSI can be an ally on several fronts when managing a cyber crisis.
The longer the crisis lasts, the more overworked the IT teams will be. It is important to make life easier for the teams by managing the logistical aspects as best as possible, without forgetting to allow time for rest, even for the most essential and motivated employees. When the crisis ends, the legal process must be followed carefully, because it can still last several months. This is often a chance for the IT department to improve its security.