The first 48 hours following a crisis situation are incredibly important, impacting not only the next few months or years of your organization but they can have a dramatic knock-on effect for the rest of your career.
Speaking at The European Information Security Summit in London, Andrzej Kawalec, CTO of Hewlett Packard Enterprise, explained that the cybersecurity industry can take lessons from the wider spectrum of crisis management and response, such as the aftermath of natural disasters and worldwide epidemics.
Kawalec referred to the devastation caused by Hurricane Katrina in 2005. He highlighted how three key failings left the US coastal seaboard not only unprepared for the disaster but also inhibited its recovery.
“There was a failure in their ability to predict the impact of Hurricane Katrina.” he said. “There was a failure to coordinate emergency response and there was a failure then to continue to provide emergency response to the series of after effects.”
Katrina was the 11th named storm of the 2005 Atlantic hurricane season – it was predicted when and where it was going to hit, so people knew it was coming. Despite this, New Orleans was massively underprepared to deal with it.
In much the same way, it is now generally accepted that organizations are always vulnerable to a cyber-attack of some kind at some point. Numerous research is available on how hackers operate, what they are looking for and how devastating a data breach can be for a company.
There is a parallel between the snowball-like fallout following a cyber-attack and a sustained hurricane environment, so Kawalec warned companies against making the same mistakes the US did back in 2005. It is not enough to simply know what cyber-threats you are facing, nor is it enough to try and gauge when you are most likely to be hit – you have to have a detailed response plan ready to implement before the event happens.
Similarly, he touched upon the issue of the Ebola virus, explaining that whilst there were strong international procedures in place at the time designed to effectively deal with such an epidemic, when it came to Ebola, the international committee acted too slowly and waited too long (four months) to act. It wasn’t until Ebola cases started turning up in Europe and the US that a state of emergency was declared.
Kawalec argued the learning behind this is that “It takes an immediacy of response, somebody to raise the alarm, preparation, existing capabilities that you can parachute in and a coordinated response” to effectively deal with a crisis. Failing to do so can have damaging ramifications, so businesses need to be equipped with a quick response plan in the event of a breach.
Kawalec said there is also a human element that contributes to a lack of readiness when it comes to dealing with a crisis. He argued that when faced with an event we are not prepared for, it is human nature to avoid taking quick, assertive action, instead choosing to “sit tight and hope everything is going to be okay.”
However, when we are empowered with structured knowledge of how to deal with a crisis (a fire for example), we can calmly assess the situation and carry out predetermined actions that raise awareness and allow us to move to a place of safety, protecting ourselves and those around us.
Despite this, there is no common training that exists which teaches people how to respond to a cyber-breach/response situation.
“I don’t believe that many people in organizations believe they are empowered, understand how to raise the alarm or make a decision [regarding a cyber-attack].”
He concluded by likening data breaches to what he calls ‘Neon Swans’. Whilst ‘Black Swans’ are often very rare events that are almost impossible to predict, ‘Neon Swans’ are “unthinkably rare, immensely important, and blindingly obvious.”
He added:
“We should exist with an assumption of compromise; that our networks have been compromised and we will be attacked. Knowing the risk to our organizations depends on us understanding the threats facing us, the digital assets we hold dear and the likelihood of those threats influencing us through a vulnerability.”