Companies are not or not sufficiently prepared to react appropriately in the event of a cyber attack. The executive level in particular is not always aware of its responsibility and likes to pass the problem on to the IT department.
The topic of cyber-resilience is still regarded as a step child in many companies. Baroness Dido Harding, former CEO of British telecommunications company TalkTalk, opened Infosecurity Europe 2018 with a warning to executives to be aware of the responsibility management has when it comes to cyber security. Harding knows what she's talking about. TalkTalk fell victim to a hacker attack in 2015, when data from over 150,000 customers and over 15,500 account numbers were stolen. The company decided to inform customers about the attack on the same day but could not provide any concrete information about the nature of the attack, what data had been compromised, or whether it was encrypted. After statements like "The truth is, I have no idea", Harding got into the line of fire of the customers and the public. Harding was held personally responsible, even though she adhered to the company's security guidelines. The incident finally cost the company £42 million, the share price fell massively and over 100,000 customers cancelled their contracts. In addition, the UK data protection authority imposed a fine of £400,000 for negligence in protecting customer data.
Lack of internal communication
"This is the kind of scenario that is also noticed in the boardroom," says Andrew Beckett, Managing Director and EMEA Leader Cyber Risk of the consulting firm Kroll, in an interview with COMPUTERWELT. But it should not go that far in the first place. According to Beckett, the fundamental problem is that the management level usually has little idea of security and dismisses it as a problem for the IT department. "However, a cyber incident has an almost direct impact on a company's share price and reputation," says the expert, "and that also affects the Executive Board." Massive communication problems between the board and the IT department remain. This is also confirmed by an IBM-Ponemon study on resilience against cyber attacks. The report "The 2019 Cyber Resilient Organization" shows that a large majority of companies are still not prepared to respond adequately to cyber attacks. According to the study, 77 percent of companies do not have a uniform, company-wide emergency plan. The ongoing difficulties in implementing the contingency plan also affect compliance with the German Data Protection Ordinance (DSGVO). Although the DSGVO has been in force for over a year, nearly half (46 percent) of managers surveyed worldwide state that their company has not yet fully complied with the basic data protection regulation.
"When it comes to responding to a cyber attack, lack of preparation is the first step to failure," says Ronald Schranz, Partner of the globally active strategic communications consultancy Brunswick and Head of Austria & CEE. "The crisis management system must therefore be reviewed regularly. And in order for such a programme to be introduced and operated, the full support of the Management Board is required in order to invest in the necessary staff, processes and technologies".
Crisis management as teamwork
According to Schranz, crises today are completely different in view of the changed framework conditions, diverse risks and threats. The threats are constantly changing so quickly that you can be sure that trained scenarios are not up to date in an emergency. "Pseudo-preparation results in false security that becomes an additional risk," says Schranz. "Our approach is to deal with complex situations in a complex manner by focusing on the crisis management team and dispensing with the usual manuals for specific crisis situations. Such a team could act somewhat separately from the Board of Managing Directors, therefore deal with the issue more freely, work out an optimal procedure and determine whether it is an actual crisis or just an incident.
"The team should not comprise more than ten people, must be trained and also have the opportunity to quickly add competencies if needed. What you need in the team is someone who has an understanding of the law, someone who knows the operations, someone who has access to communications and, above all, someone who has an overview of the stakeholder landscape," explains Schranz. It is important to communicate quickly with employees so that they know what is going on and what their role is in this situation. The system needs precise preparation with guidelines and clear rules and responsibilities.
A cyber crisis is a special case that differs markedly from other crises - in terms of content, process and not least in terms of the understanding of the top management, which tends to see such an incident as a purely technical issue. "One has no sympathies as a hacked company. You may not be the bad guy, but you are the stupid one because you didn't manage to protect your company and its data. And once the data leak has been discovered, you still don't know since when it existed and whether data has been manipulated, deleted or tapped. During this phase, communication is a critical factor in overcoming a cyber crisis," says Alexander Kleedorfer, Director at Brunswick Austria & CEE. If the company is not prepared, a cyber incident that has become publicly known could have unpleasant consequences: "It's about the resilience of the entire company and not just technical fixing, and it's about possible damage to reputation that must be kept to a minimum through appropriate communication. You should know exactly what you are communicating and when. For example, you have to think about what you can make public without creating problems for yourself later on. Things that are said hastily and later turn out to be wrong are dangerous, because you lose your credibility quickly and permanently."
In addition to the ambiguities mentioned above, the awareness of the top company level and its liability is an important aspect of cyber incidents. "If the IT department head draws attention to a problem and the management does not react, then the consequences in the case of the case concern the top management rather than the IT person", says Kleedorfer. "This is part of the problem of why many companies find themselves in a risky situation. A broader understanding for cyber risks from top-level management would be helpful - not least out of their self-interest".
Read the original version of this article in Computerwelt in German here.