Research & Intelligence
The Secret Sauce to Managing a Ransomware Crisis (Or Any Breach)
Supercharging your cross-functional communication is key to weathering the storm.By: Jon R. Ramsey
Your security program is maturing, vulnerability management processes are in place and an IR plan is complete. You may even have briefed the board on the ransomware risk. Are you as prepared as you can be for the inevitability of a WannaCry attack or any other for that matter?
From my experience as a responder, I would say no unless you also tell me you’ve dealt with an important and often-overlooked subjective factor -- managing emotion in the heat of response. How? By supercharging your cross-functional communications now, before a breach occurs.
In the speed and chaos of response, even the best-laid incident response plans can be derailed when human emotions escalate and trigger deviations from the plan. Too many times, business stakeholders outside your immediate sphere of influence may unwittingly cause more damage in the form of turf battles, opposition to necessary operational down-time, and premature conclusions that result in public misstatements.
Here are five quick tips for boosting your cross-functional business communications in a way that establishes buy-in for your crisis plan when the rubber finally meets the road:
1. Define your stakeholders. Sure, you interface with your superior and direct reports, but security leaders are risk professionals, not just security program managers, so I suggest strong relations w/ compliance, legal, operational risk and line functions, as well as marketing, HR, finance and procurement.
2. Level set with each stakeholder by anticipating their “Top 3”. A startlingly simple way to get buy-in from each of your key stakeholders in a breach situation is to ask them now, “What are the top three questions you’ll want to ask me in the heat of a crisis?” In this way you’ve uncovered both their expectations and perspectives in one fell swoop and can manage them proactively, for example when finance asks “Have we activated cyber insurance policies?” or procurement asks “what do I tell vendors about policy activation?”
3. Be honest about the bad news. Another way to avoid derailment during crisis is to proactively prepare each of those stakeholders for what may happen in the speed and chaos of response, even if they seem far removed from your day to day security operation. Example: are the business functions really prepared for the process of eviction, which can include down-time? Is IT prepared for gear replacement? Communicating and planning for the physical remediation, helps manage the tensions that arise when gear has to be brought online quickly.
4. Syntax is king if you want to get buy-in. When communicating about cyber prevention, awareness and hygiene, try to position your policies and processes as “anti-bad guy” vs. “distrust of employees.” Rather than “We’re doing xyz,” which may raise privacy concerns among employees or make them feel as if they’re not trusted, you can communicate in the positive, e.g. “We’re all responsible for making sure that data doesn’t leave the company and get to the bad guys, so we’ll be implementing xyz.”
5. Be a straight-shooter with your third-party responder. As soon as I arrive at a company in crisis, the first thing I ask is, “what’s your real objective?” That may seem like a rhetorical question, but it’s not: it’s the most important thing your company can communicate to the responder because it guides prioritization during the remediation stage. Rather than just answering “I want to manage the risk,” you have to be ready to answer the question in terms of cost, disclosure and prioritization. For example, “My objective is:
- To get business up and running
- To do right by the customer – are you willing to absorb more expense and earlier disclosure to stop the attack?
- To mitigate my regulatory risk – if we just want to make them go away, that may place a different emphasis on remediation.”
- To catch the bad guy
Finally, know what you know, and know what you think. When managing the emotional response to a breach, it’s important to separate the facts (what we know) vs. what we think (the alternatives before us when absolute facts are not available). Define both and resist acting on the second category first. Once you’ve determined the facts you are able to confirm, then it’s time to make choices about which of the alternative possibilities to select and how you’ll act on it.
Of course these cross-functional communication tips are just the secret sauce on top of what should be the right operational preparation for breach. Your incident responder can help you establish facts and make an informed statement more quickly if you’ve laid the ground work with tools for visibility in the environment and the right log retention processes. Deep threat intelligence with rich context can then be applied to answer “Why did they get that asset?” or “What did they do to it?” so you can manage the crisis with more confidence.