This entry is part 4 in the series of improving your Ransomware readiness

Continuing our series of blog posts on Ransomware and Incident Response (Part1, Part2, Part3) and following up on the recent discussion about top management preparation (ManagementPreparation), its time to consider having an effective Crisis Management process in place.

At NVISO we like to think of Crisis Management as the Beacon whose purpose is to guide you through difficult/challenging times, for that is what Crisis essentially is. But let’s set some ground rules and consider what we mean by Crisis and Crisis Management.

Crisis Management: A beacon in the storm

When talking about Crisis, everyone should realize that we are dealing with an abnormal situation that is beyond the scope of normal business operations and which may threaten the immediate safety, the operations, or the reputation of the company. A Crisis needs to be dealt with immediately with the outmost importance and decisions need to be made at the highest level. Failure to react swiftly could possibly lead to huge impact and losses for the company. But how would you achieve this? How would you have the right people leave their daily tasks and focus their attention on the management of a “new” situation that they know little about? The answer lies in swift and effective communication amongst the right people.

Managing a Crisis requires immediate attention

Corporate Crisis management process has improved dramatically over the last decades. Not only as a result of malware and ransomware attacks but also because of climate change and weather phenomena becoming more and more frequent all over the world. Corporations are, and if they are not, they should be, prepared for crises by setting up a Crisis Management team and properly preparing the organisation to respond in a timely and effective manner.

However, as stated above, communication remains a major element of an effective Crisis Managment process.  In times of Crisis, accurate and timely provision of information ensures that all stakeholders are well informed and can act accordingly to reduce impact and loss to the company. Please note that by Stakeholders, we mean both the internal ones (employees, top management, 1st responders) and the external ones (General Public, authorities and regulators). Information should be transparent because you need to build trust and credibility towards all stakeholders. The value of accurate information is of the outmost importance. It is not uncommon that during a Crisis situation, organisations tend to enter a defensive mode, by withholding information from other parties. However, stakeholders who are not adequately informed may be unable to take appropriate actions, potentially leading to greater harm or disruption. In the following lines, we will present guidelines for effective communication during an incident.

Crisis management process

Upon declaration of a Crisis event, the Crisis Management Team (CMT) is responsible for managing all communications to internal and external Stakeholders. CMT is usually comprised by CEO + appointed executives but some corporations can also appoint a dedicated CMT separated from the mgmt. team. Please refer to the following schematic which illustrates the main attributes of this process:

Crisis Management Lifecycle

Initial Notification / Crisis Declaration: A Crisis situation has to be declared. Most organizations, face minor incidents frequently, some even on a daily basis. However, when you are dealing with an incident that becomes major threat to your operations, you need to inform everyone immediately. The necessary escalations need to take place and Crisis Management is invoked. Notify all stakeholders by using communication channels that are established within your organization. Use effective methods: email, SMS notifications or other media and make sure you attract the proper attention.

Regular updates are required: Time is of the essence. Make swift moves and provide regular updates in the form of detailed reports. Make sure to address all parties and provide the information that is required in each case. Incident responders for example, who manage recovery procedures, will need precise technical information in order to address the incident in the most efficient way possible. On the other hand, if you need to communicate with the public, a different approach may be required. Adjust your communication style in order to be more appealing and understood by the broader audience.

Transparency: Remember to be honest. No BS. Build trust with all parties such as the local authorities (offline/private comms) and/or the public (via press releases). Withheld information eventually gets out and is very likely to back-fire. Show that you are taking the strongest possible action and that you are determined to resolve this situation with the least possible impact for your corporation and for all stakeholders involved.

Stakeholder engagement / communication strategy: Did you include all internal and external stakeholders? Do you know who your stakeholders are? Carefully identify them. Make sure you did not miss any important contact points, either internal or external. In fact, it is a great practice to maintain lists of all stakeholders regardless of the type of Crisis. Make sure to engage stakeholders and collect feedback during your Crisis Management process. Use agreed templates and ensure your messages are clear and they pass the message across. A typical list of stakeholders is the following:

Internal: Top management, Department Heads, Employees, Legal and compliance teams, security personnel

External: Clients, Suppliers and Vendors, Regulatory bodies, Media, Investors and Shareholders, Emergency services (Police, Medical, Fire dept.), Partners and Affiliates.

Communications can be carried out using several approaches and tools: websites, reports, emails, posters, meetings, workshops and more. The approaches or tools selected by the organization depends on the type of audience and the message that you want to deliver. Choose your communication tool and communication style wisely in order to pass the message on to your audience. Please also note that the type of Crisis you are facing will also determine the type of communication means that is most appropriate. We will now distinguish two types of communications, Internal and External:

Internal Communications

Communication towards Internal Stakeholders effectively means to notify employees. This type of communication is primarily managed by the HR department and is usually conducted with meetings, emails and reports. Lets consider the example of Ransomware incident where, for example a significant number of Corporate PCs has been compromised by ransomware. What would you do 1st?

i) Initial Notification: as soon as the incident is identified, notify key stakeholders (IT dept, upper management and the incident response team)

ii) Incident Response Team Convenes: Incident response team assesses the situation discusses the details of ransomware attack. Decide which are the most appropriate course of action to take. Remember to work along the following lines Identify-Contain-Eradicate-Recover. You need to identify the extent of the damage and immediately decide actions to stop the ransomware from spreading even further.

iii) Raise awareness: Inform all employees about the ransomware incident. Initiate clear and easy to understand instructions underlying the  importance of not interacting with suspicious emails or files. Make no mistake, your employees are a vital part of solving the crisis. Inform them properly with regular updates.

iv) Constantly re-assess the situation and evaluate if existing measures are sufficient to contain and eradicate the incident. Additional actions maybe required in the unlikely event that existing measures do have sufficient impact.

External Communications

By External Stakeholders we mean all parties directly of indirectly related to the organization. This could be customers and clients, suppliers and vendors, regulatory bodies and governmental agencies, shareholders, banks and more. There is no “one solution fits all” situation here. Each organization can create tailormade roles and responsibilities according to the various needs. Some organizations have dedicated communication departments, especially appointed with the task of communication to external parties. Other organizations may appoint this task to the Legal Team or other existing department within the organization. Communication towards external parties can happen using emails, Websites, Brochures and news letters, press releases, advertisements e.t.c.

Please note that communication with external parties, such as customers and the broader public, can significantly effect the stakeholder’s reputation.

Notifying regulatory bodies during a crisis incident is crucial for several reasons, particularly if the incident involves data breaches or other security issues that fall under specific regulatory frameworks. Therefore proper and timely notification to external parties is crucial.

Directives and acts such as NIS2, DORA, GFPR entail specific requirements when it comes to reporting incidents. NIS2 for instance suggests that an initial notification is made within 24 hours of becoming aware of the incident, followed by a more detailed report within 72 hours. On the other hand, the General Data Protection Regulation (GDPR) requires organizations to report data breaches to the relevant supervisory authority within 72 hours. Failure to comply with these requirements can result in significant fines and legal penalties.

Overall, both internal and external communications play a crucial role in crisis management by helping to protect the organization’s reputation, maintain stakeholder relationships, and ensure compliance with legal obligations.

Crisis Completion: When Crisis is over, make sure to notify all stakeholders. Crisis Management Team is responsible to notify all interested parties upon completion of Crisis. Your corporation has undergone through tremendous stress over the past days so please make sure to inform all interested parties as soon as Crisis has been resolved.

Lessons Learned: What have you learned from this event? Conduct sessions with all stakeholders, summarize actions taken and record response and recovery times. Make sure to document all information. Identify Crisis Root cause and make actions to prevent the same situation from happening again. So essentially, identify what could have gone better and use this knowledge to be better prepared for any future challenges.

Preparing for and effectively managing a crisis situation takes a lot of practice and should be part of the organizations’ mentality. Of course, nobody can predict the future and considering the fact that we are living in the post 9/11 era, makes this even more challenging. However, comprehensive planning, proper training, development of appropriate strategies and effective communication can make a lot of difference.

Keep improving 🙂

About the author

Nikolaos (Nikos) Grigoropoulos is a cybersecurity and risk management professional with extensive experience in financial and telecom sectors. His specialties include enhancing incident readiness and developing robust information security strategies. With a proven track record in managing information security systems, regulatory compliance, and business continuity, Nikos is committed to safeguarding organizations against evolving threats.