Hacked - so what?
A rude awakening: early in the morning, as the CEO, you receive an e-mail saying "infrastructure hacked" and an extortion letter. How do you notify the crisis team on such a day and involve other parties?
An unusual day as a business manager: on your way to your company, you want to check the business mails and receive an error message. At 8:15 a.m., arriving at the office, the hacker's extortion letter is on the screen. She wants to receive ten Bitcoins within the next 24 hours and promises you that you will get your business infrastructure back after receiving the Bitcoins.
No problem - you are prepared. Transferring Bitcoins to the hacker is out of the question for you. First, you pull out a kind of business card from your wallet. This lists all the contact details of the crisis team. There are also two ways to call a meeting. Since the business email is disrupted, you do not use the mail group, but the crisis team thread group. At 8:20 a.m., all members of the crisis team receive your message, "Infrastructure hacked - meeting at 8:30 a.m. in the meeting room or via conference number 058xxxxxx with code 529xxx. You now take your crisis doc out of the drawer and go to the crisis staff meeting room and establish the conference connection.
Until everyone has dialed in, take a look at your crisis doc. First you see the list of the I. responsible persons of the crisis team with the details of responsibility, mail address and telephone number and deputy. For the choice of the members in the crisis team you have made a risk evaluation and defined the business critical networks. In your case, an employee of an external IT company is defined as the IT security officer. In his role, he primarily takes care that no hacker gets through. If a hacker was able to get through anyway, he takes care of cleaning up the networks and restores the business infrastructure.
In your case, the Board of Directors only wanted to be informed and did not want to take part in the crisis team. That is why you are listed as the decision-maker. Whenever data is attacked, data security is affected and the data security officer is listed accordingly. She will take care of any reporting obligations and the expected criminal proceedings under data protection law. Given the size of your company, you also wear the hat of the communications officer.
On your Crisis Doc II. Meeting you will find the information on how you want to convene a meeting. Transferring this information to the size of a business card and keeping it in the wallet of all crisis team members has proven effective today. The call-in could just as easily have been launched by another crisis team member. It is 8:28 a.m. and only one member is missing until you can start the meeting.
In Crisis Doc III Stakeholders, you have listed those contacts that you do not want to learn from the newspaper that your company has been hacked. You have listed here all the contact details of your employees, board of directors, customers, business partners. Since you are a member of an association and are subject to supervision, you have also listed the contact details. For the contact of the responsible police you have made clarifications about the location of your servers and now also have complete contact details in your crisis doc. For the federal government, you make a report to the Melani/NCSC reporting office. Since your company could only survive seven working days without access to the infrastructure, you took out cyber insurance a month ago. Contact information and policy number are listed. 8:30 a.m.: The crisis team members are complete and the meeting can begin on time. The meeting opens with who convened the crisis team. After each member is given the floor and briefed on updates, decisions are made. Notifications to Melani/NCSC are taken care of by the IT officer, and the relevant data protection authorities are informed by the data protection officer. You take care of communication with stakeholders. The crisis team now meets every two hours to provide information about current events.
The brief IV. Communication from your crisis doc supports you to inform your stakeholders at 9.00 a.m. with this letter:
"We regret to inform you that our company has detected an unauthorized access to the infrastructure today at 8:15 am. The hacker was able to place a blackmail message. The crisis team designated for such a case met for the first time at 8:30 am. So far, all our systems have been disconnected from the Internet. In addition to researching how our infrastructure was accessed, we are working to chronologically scan our offline backups for infections. A clean backup will be uploaded to a backup infrastructure. More details will be provided at 5 p.m. today."
At 9:15 a.m., you take a quick breath. All your stakeholders have informed you and you can devote yourself completely to the situation. You are grateful that you have practiced such scenarios with the same regularity as fire drills. During the drills, you identified and addressed weaknesses. With the team you now have in place, you are confident that your infrastructure will be back up and running by 4:00 pm. You probably lost some data from the last few hours. I wonder if you will be able to announce at 5:00 p.m. that you were able to successfully fend off the attack. How high will a fine be for the data breach?
