5 considerations for a crisis plan

by |
Organisations are being urged to get their crisis plans in order after a recent report revealed many are not fully prepared to combat a cyber-attack.
According to BAE Systems Applied Intelligence report Business and the Cyber Threat: The Rise of Digital Criminality 39% of organisations did not have or were not aware of a crisis response plan in the event of an attack - that’s despite 84% of those surveyed expecting the number of cyber-attacks to increase in the next two years.

Richard Watson, Managing Director Asia Pacific and Middle East, BAE Systems Applied Intelligence stated the results suggest a need for further education on the issues that can arise from an attack and how to handle such a crisis situation.

“Organisations should adopt the mindset that a cyber-attack will happen at some stage. While some attacks will have minor impact, others may threaten the reputation of the organisation and a poor response to these attacks will often worsen the fallout from a major incident,” he said.

“Consequently, the organisation needs to have effective processes to identify attacks early and then respond to these in a structured and repeatable manner, with a clear delineation of responsibility.”

BAE Systems Applied Intelligence suggests companies take into consideration these five points to create a crisis plan:
  1. Effective detection: Does your organisation have the right controls in place to detect targeted cyber-attacks? Is your business confident that the most sophisticated types of attack will be detected?
  2. Formalising where critical information resides: Has your organisation established which information is most valuable? Does your company know which departments, business processes, IT systems, suppliers and staff have access to this information?
  3. Roles and Responsibilities: Are roles and responsibilities clearly marked in the event of a crisis? A common problem is the lack of a clear chain of command for effective and timely decision making. A crisis will often require difficult decisions, such as at what point to turn off key systems or services, or engage with customers or media. In some industries and countries, it is mandatory to inform a regulator or the end customer if their information is breached.
  4. Access to specialists: Does your organisation have clarity over which specialist partners will be used in the event of a cyber-attack? Are these organisations on ‘retainer’ so they can be called in at short notice? A common challenge for organisations is that they don’t have pre-existing commercial arrangements in place at a time when they need urgent support.
  5. Testing the crisis plan. Are the plans periodically tested to ensure they are effective? Organisations should test the crisis plan to ensure there aren’t any gaps and share it with the entire organisation. Stakeholders should be made aware of their role in the event of a cyber-attack long before an attack takes place. 

Corporate Risk & Insurance forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Name (required)
Comment (required)
By submitting, I agree to the Terms & Conditions