Can you really plan for a cyber attack?

by Richard Whitby
Written By Richard Whitby

In our crisis training sessions we often talk about planned crisis response as opposed to ad-hoc, reactive response. Pretty much any crisis needs a combination of both, and great crisis teams will appreciate that you can’t ‘wing it’ all the time - you need an element of process, organisation and planning to ensure the best chances of an effective crisis response.

Whilst it would clearly be wrong to have a crisis plan for every eventuality, there are some threats that are so common, and so devastating, that some form of plan is sensible. For example, a cyber attack requires a series of steps that can be worked out ahead of time, not just the IT response, but the senior management response as well. It’s a fair bet that in the first hours, days and probably weeks of a cyber attack you will not know the full picture. You will be unclear about the amount of data affected, the nature and severity of the attack, or the protagonist’s strategy. There is no point in the senior management team sitting in their (real or virtual) boardroom asking IT “When will this be sorted?”.

The team will need to deal with the fact that they are severely short of information and just get on with dealing with the impacts. How are we going to make payments or carry out critical business functions? What are we going to tell our customers? What are we going to say to the media? The world is not going to go on hold while you ask questions about the cyber attack and plug the gaps in your knowledge.

You can practice all this before it happens, but your cyber exercise needs to be designed in the right way. You can’t let the senior management team off the hook by allowing them to prevaricate by putting the pressure on IT for answers. They need to get on and work out how to rescue the business in the absence of all the facts. Because that’s the reality of how it will be if a cyber attack actually happens. Make sure that IT are represented during the exercise as a sense check so that the ‘business’ side of the response is completely integrated with the IT response.

During and after the exercise you need to record the steps you would take - and that is your cyber plan. Circulate it and agree it. Then if the worst happens you have the cyber plan as your start point and your handrail through the crisis. And that’s when the senior team’s judgement and experience comes in.

Richard Whitby
Previous

Ten thoughts on crisis leadership
Next

The profile of crisis management in 2022