Regardless of how secure you believe your business infrastructure is after implementing a cybersecurity program, you always need to approach every day with the expectation that a cyber-attack is going to occur. The majority of businesses are going to experience a handful of cyber attacks during their lifetime. When an attack does occur, you need to make sure that you keep track of the most important priority during a cyber crisis: ensuring the safety of all persons involved.

The implications of a major cyberattack can cause heavy anxiety, and this anxiety often boils over into panic and chaos when the first signs of an attack surface. Even small incidents that you understand are minor and easy to mitigate can cause emotional breakdowns in other employees. Your average working person today is not an IT security whiz and generally only knows the minimum technology skills to perform their job. Therefore, incidents involving threats of retaliatory action from threat actors can feel very real to them, and the implications of their actions often lead them to believe that their job, finances, and even their well-being are in danger.

To keep everybody calm and safe, work closely with your entire staff to practice conduct for crisis scenarios. This is where tabletop exercises and simulations shine, as they can very effectively mimic real threat actor tactics, techniques, and procedures, and allow you to clarify details to less technologically experienced employees. Try to clarify facts to all employees that may not be crystal clear to everybody, such as:

  1. If law enforcement were really pursuing you, they would never give you a detailed explanation of their plans ahead of time.
  2. You are never going to be asked to provide financial data in return for dropping a criminal charge.
  3. There is never a scenario where you will be asked to provide financial data to company IT employees for something to be fixed.
  4. Major companies such as Microsoft and Apple will never reach out to you personally for malware infections.
  5. If you have any suspicions about a phone call or email, its objectives, and its source, it is best to cut the contact and verify it with a company professional, even if it turns out to be legitimate.

Classic threat actor techniques like social engineering can fool anybody, and you will often be surprised to see even younger employees fall right into their traps. In addition to discussing these malicious tactics and reviewing them in simulations, you could make a visually appealing infographic containing reminders and post them throughout your business facilities. Small things like that can make a difference.

In addition to educating employees, ensuring that your Disaster Recovery and Business Continuity Plans are up to date and regularly reviewed is critical to cybersecurity crisis management. Cyber crises are not always going to be small phishing incidents or malware infections. There is a real chance that you could experience a massive data breach or denial of service attack that wreaks havoc on a larger scale. Additionally, physical threats like a natural disaster severing network links, or an intruder stealing valuable assets, are always a threat. The only real way to try to keep panic low during these major crises is to have the DRP and BCP be second nature to everyone involved. If employees automatically know their responsibilities during a major crisis, they are less likely to panic and start spreading said panic to other employees.

While crises are underway, set an example by keeping a level, reassuring attitude. Try to spread this to other employees by reminding them of common-sense realities and emphasizing that attacks are not their fault, even if they played a role in the threat actors penetrating your network. Blame will only make the crisis worse. Emphasize the key objective during a crisis, which is to stop the bleeding and eliminate as much of the threat as possible while ensuring critical business functions remain operational. Once a crisis has been resolved, continue the calm attitude. Thank your employees for helping in the disaster recovery and business continuity and again quell any discussion of blame or the spreading of anger. If employees have been severely affected by a crisis, involve HR staff to help reduce the anxiety and tension caused by the events. Once the threat has been fully eliminated and secure business continuity has been confirmed, gather all employees for a lessons learned review. Discuss what happened during the crisis, what needs to be improved in the DRP and BCP, and allow a democratic discussion to form. Making all employees feel heard regarding their concerns and questions is extremely beneficial to the health of your business post crisis and will help ensure that the responses to future crises will be better and more orderly.