By Brennen Schmidt
ALEUS Technology Group
and Allan Bonner
Troy Media columnist
You need a HOT group to manage a cyber-security breach. That doesn’t mean they need to be dressed well or good-looking. HOT stands for hour one team.
Work in this area began long before widespread fears of cyber attacks. It began in the resource sector, where an incident might be in the Arctic, kilometres underground in a mine or in the middle of nowhere.
Events in unpredictable locations had unpredictable outcomes. First responders have told stories of police officers roughing up journalists trying to cover a petrochemical spill and other officers saying an event was just a drill when it was a real emergency. The cops were well-meaning, but the company had to clean up both the petrochemicals and the bad relations with stakeholders.
The remedy was to train first responders as rudimentary spokespeople, because that would be the reality. The truck driver, the responder with absorbent material, the firefighter and others were first on the scene, and they would be asked about what was going on. They couldn’t look or act guilty, or pretend they didn’t hear the simple question. They couldn’t be overall spokespeople for the company but also couldn’t pretend what they were doing was a secret.
Training and messaging involved sticking to their technical knitting – how to deploy floating fences (booms) to contain oil, what skimmers that pick up oil are, the physical properties of oil and chemicals, response gear and so on. These rudimentary spokespeople were trained not to talk about the price of gas, executives’ salaries or anything else they had no business speaking about.
The workers’ simple explanations filled the first few newscasts with facts to make the critical content shorter and more factual. They could also satisfy politicians, regulators, neighbours and other stakeholders for a short period. Then out came the public relations people and senior executives with more detailed messages and more content.
To bring this method up to date, a cyber incident can happen anywhere in your system. It can happen within a supplier’s system or anywhere in the supply chain. The attack can manifest itself instantly or lay dormant for a few years, then the payload can deliver damage, shut down your system, spread rumours, or do anything else a hacker, terrorist, enemy or deranged person can think up. The attack can originate anywhere in the world.
Spokespeople will be cashiers, whoever answers the phone, the guard at the gate, any one of your employees on social media, or just about anyone who will speak or can be reached. Third-party commentators will include competitors, those in your supply chain and politicians out to solve the problem in favour of customers.
What a mess.
Your response team won’t have an hour. It will have minutes. In fact, it should really have a time machine to start a few years ago in order to catch up. More realistically, now is the time to inform frontline workers on what to say in an event. They are the rudimentary spokespeople. Now is the time to codify messages for spokespeople and get an understanding of the characteristics of your system and supply chain. Now is the time to work with stakeholders and generate third-party advocacy in times of crisis.
Now is the time for a lot of things – legal advice, insurance and a due diligence defence. Due diligence means doing all that the reasonable person would do to prepare and reduce damage. This means thinking now about how much technical information to release when the time comes. Nobody will need to know how to build a cyber-security system in the early hours of your crisis, but they will need to know that you know or your suppliers know. They will also need to know such things as whether the breach has been contained, how many users may have been impacted and what else is to follow.
Any crisis can disable your office. A cyber event certainly can – especially when a portion of an organization’s workforce does the bulk of its work using remote access or telepresence. So now is the time to decide where you’re going to go to set up computers, phones and other gear to manage the event. You’ll also want to be prepared to do all of this from a secondary location, in the event that the cyber attack is followed by a physical threat.
And don’t count on your existing methods of communication to work when you need them. Crises are known to cause an influx in network traffic. If the network is compromised, good luck calling someone using your Internet-connected (VoIP) phone, let alone sending an email or instant message. Go old school. Paper, pens, dry-erase boards, typewriters and sticky notes will prove invaluable assets – perhaps even more than their technological counterparts.
Crimes feature crime scenes containing evidence. It’s important that in everybody’s zeal to get back to normal, they don’t ignore preserving evidence that can lead to an arrest or conviction. It’s great to get back to normal but what if it were an inside job, only to be repeated next week? You may have a legal obligation to notify affected parties and in certain ways, and now is the time to find out.
The evidence you will need can come from reviewing hours of video surveillance, or paging through visitor access logs or server logs. It could even include reconciling active and inactive users listed in your system’s directory. An employee on vacation could very well be the culprit – or even a planned decoy. Now is the time to check.
All crises can feature a hit to reputation. Now is the time to enhance that asset and determine ways to preserve it during a crisis. Now is also the time to consider the help you may have to give to those whose data you made public. In some jurisdictions, fines are up to $100,000. Damage can include bodily harm, humiliation, damage to reputations and a range of other harm.
After forming your HOT team, give them a fighting chance to succeed. As in the military, use war games, simulations, training and drills – and stockpile the ammunition you’ll need.
Dr. Allan Bonner, MSc, DBA, is a crisis manager based in Toronto. His forthcoming book is Cyber City Safe. Brennen Schmidt (BEd, Certiftied PR, CUA) is principal of the ALEUS Technology Group, a boutique digital communications firm in Regina.
The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.