Cyberattack: Shorten response time

Disasters such as severe weather, snow avalanches, acts of sabotage or cyberattacks have one thing in common. They occur with very little warning or even completely unexpectedly. Decisive, cooperative action is then called for to ensure that the emergency does not escalate, with casualties, possibly fatalities, and high levels of damage. Efficient communication between teams is the key to success in the difficult business of crisis management. Incident commanders who don't set up emergency teams and crisis workflows until after the emergency has already occurred lose too much time. Hours or even days that could be put to better use. The rule of thumb is that the more time that passes before the right emergency measures are put in place, the greater the damage in the end.

Data theft and ransomware attacks cause high losses for Swiss companies every year. Since the beginning of 2019, encryption Trojans have increasingly been attacking SMEs and large companies in Switzerland and abroad, reports the Reporting and Analysis Center for Information Security Melani. In some cases, these attacks also encrypt backups and render them unreadable. This makes it impossible to restore the business activities of the affected companies. Melani generally advises against paying a ransom because there is no guarantee of obtaining the keys for decryption.

Not only industrial companies, but also public institutions and hospitals are not spared from cyber attacks and software errors. One example: After the turn of the year 2018/19, the emergency call at the beds in numerous Swiss hospitals, old people's homes and nursing homes had stopped working due to a software glitch. The University Hospital Zurich (USZ) confirmed at the request of the NZZ that there was a failure of the monitors of the patient call system at midnight. However, the care of patients was guaranteed at all times, no incidents were known, the USZ states.

There is no such thing as one hundred percent security. There is a saying among security experts that there are two types of companies. Some know they've been hacked, while others are clueless and still lulled into a false sense of security. The first step is therefore to recognize and categorize an attack. Classic firewalls and intrusion detection systems, for example, can help here. The second step is to put together an emergency team as quickly as possible with the right expertise to effectively combat the attack and avert damage to the company. Communication and cooperation play a key role here. Only if companies communicate efficiently in the event of an emergency can they quickly defuse a cyberattack, limit its extent, maintain business operations as best as possible, and prevent a loss of reputation. 

Automated system prevents damage

IT professionals estimate that the use of a CEM (critical event management) system can reduce the response time to a cyberattack by at least 20 percent. A CEM enables the automated composition of an emergency team and the automatic contacting of team members according to predefined workflows via SMS, telephone, mail or messenger app. Communication is bidirectional. If a team member is unavailable, the CEM runs through all available communication channels and searches for personnel alternatives in the event of failure.

The key to successful crisis management is to integrate not only IT managers and emergency teams, but all employees into the CEM communication system. Only then can the entire workforce be informed about the situation and the next steps. In the case of the Fürstenfeldbruck hospital, this meant also informing emergency services that admission capacity is currently severely limited as a result of a complete IT failure.

Communication via all channels

The key to quickly informing people relevant to defending against the cyber attack lies in multimodal messaging. The more communication channels are open, the more likely it is that the relevant people can actually be reached, regardless of time of day or location. Therefore, it should always be possible to contact them via multiple channels and devices: via SMS, push message, e-mail or voice message on their private and professional fixed-line and cell phones. For each person, it should also be noted which communication channel they usually prefer or whether they are currently abroad and cannot take over the emergency at all in a timely manner.

Workflows defined in advance in emergency plans help to combat crises efficiently and minimize damage from cyberattacks. In order to communicate as efficiently and error-free as possible in the event of an emergency, companies should also prepare templates for workflows and notifications. The key here is to design messages specifically for the various groups of recipients and their different tasks in the event of a crisis. The IT response team needs very different information than management or the HR department.

Do not forget partners and customers

In addition to internal communication, external communication must not be neglected. This includes informing partners or customers in good time, for example, if there is a risk that they will be affected by the cyberattack. Appropriate processes and templates should also be prepared for them. This creates transparency, builds trust and prevents false information from spreading or rumors from spreading. It is also very important to keep an eye on all regulations and compliance requirements. For example, there may be a legal obligation to report to the authorities if a company is classified as a critical infrastructure operator.

Prepared workflow and message templates make it possible to practice, test and, if necessary, optimize the set-up processes without the pressure of an emergency. Trial runs help to measure the response and reaction rates, thereby uncovering any weak points and then eliminating them in a targeted manner.

If an IT security incident occurs, internal and external communication are equally important. With an automated, template-driven system, companies ensure they reach the right people at the right time. IT can then resolve the problem faster, and internal and external stakeholders have the ability to make decisions based on accurate and up-to-date information. 

Risks are underestimated

Every company has a vital interest in using a CEM to continuously improve its emergency management. But not every company does so - and thus runs a high risk. The analyst firm Forrester conducted a survey of 214 companies in 2018: Each had experienced at least one critical emergency in the past 24 months. Twenty-four percent were attacked by cybercriminals, 25 percent of companies had a mission-critical system fail, and 28 percent had important documents stolen. The companies affected are well aware that their reputation as business partners and suppliers could suffer as a result and that they risk losing revenue as a consequence. Only just under a third measure the recovery time it takes to get failed or severely slowed systems up and running again.

Forrester survey: Integrated CEM brings benefits

Among the companies surveyed, those using a CEM system were able to deal with critical incidents better, faster and more cost-effectively. Forty-nine percent (29 percent without a CEM) had reduced costs for planning and implementing emergency measures; without the use of a CEM, the figure was only 29 percent. 50 percent were able to locate and contact their employees more easily with a CEM, versus 36 percent without a CEM. 39 percent (21 percent without a CEM) found it easier to adhere to compliance rules and regulations. A revealing result of the Forrester survey: companies that do not use an integrated (unified) CEM system, but instead prefer isolated solutions, are not even aware of the disadvantages of their decision.

*Andreas Junck is Director of Sales DACH at Everbridge in Munich.