Managing a Cyber Security Crisis: digital resilience in the aid sector

While digital tools undeniably facilitate humanitarian response, the risk of connected societies and access to data leaves organisations vulnerable to cybercrime attacks. In this blog, CyberFish’s Berta Pappenheim explores how effective cyber crisis management differs from traditional crisis management responses and how organisations can build digital resilience to limit their vulnerabilities in the digital realm.

International organisations are increasingly aware of the evolving technological landscape in hyperconnected societies and the implications for protecting data and digital supply chains. With the rise of connected societies, easy access to cyber-crime tools and big data disrupt the dynamics between technology, security, and contexts across the globe, including those where humanitarians work with crisis-affected communities. It is, therefore, of fundamental importance for global humanitarian security leaders to look at and consider digital threats in their crisis response planning.

An organisation no longer has to be a cyber-crime gang’s target to become a ransomware attack victim. Digital crime nowadays is mainly automated on a global level, making getting compromised in the digital realm more of a question of ‘when’ rather than an ‘if’. Even global financial institutions and tech unicorns spending millions on building corporate cyber defences and cutting-edge digital security teams are compromised daily.

I would like to share a few thoughts on how crisis management for cyber security threats can be different from response operations that do not involve technology and how to get started on the journey of building resilience in the digital realm.

1. Preparing for unknown unknowns

Interconnected networks and online systems carry a complexity that only occurs in a digital context. Identifying, containing, and removing malicious software from a network and recovering that network’s normal functioning can therefore be difficult. Specialist knowledge is needed to build cyber risk awareness, and organisations should have trusted cyber experts who can prepare them to implement the necessary online defences and protect their information. The only way to reduce uncertainties around digital threats is through education and planning guided by specialist cyber security expertise.

This process often starts with getting all colleagues to understand the role of their behaviour and attitudes towards cyber hygiene. Small changes can make a big difference. This could be creating strong passwords, using multiple authentication methods when accessing critical systems, knowing how to spot phishing emails and other online scams, and reporting these to a designated information collection network to help build intelligence around threats. For instance, the UK’s National Cyber Security Centre (NCSC) has lots of available tips and guidance on their website to be used in employee awareness campaigns, suiting the needs of every organisation, big and small.

2. Communicating unknown unknowns

Crisis communications may be drastically different when discussing cyber crises because the extent of the damage is not always understood or predictable.

Communicating uncertainties internally and externally can be daunting because, as humans, our sense of safety relies on knowing what is happening. Even bad news is better than no news at all! However, simple questions such as ‘what is happening?’, ‘who is behind this?’ and ‘what will be the damage?’ are difficult to answer during ransomware attacks. There could be an automated scamming bot or a hacktivist group behind the attack. The attack could be the first step of an organised cybercrime gang trying to infiltrate sensitive information. Answering these basic questions requires knowledge of the tools, techniques, procedures, and the attacker’s objective and motivation.

The question remains: what can we do in advance to mitigate the risk and reduce potential harm? Having a clear communications plan with pre-formulated scripts for different types of digital incidents is crucial. Tweaking these at the time of the crisis creates first holding statements and subsequent follow-up statements, enabling consistent communication on the website, social media, and by the organisation’s employees, conveying a confident approach rather than instilling fear and confusion.

3. Making decisions about unknown unknowns

One of the biggest obstacles to managing online crises is the lack of insight. Paradoxically, one always has access to so much information that specialist knowledge is needed to make sense of it. Information surplus is often distracting, and stress can lead to tunnelling of information processing and dislodged prioritisation and decision-making. It is often minuscule signals from a network that have the most significant impact and can completely change the course of crisis response. However, without specialist knowledge, these can sometimes go unnoticed while other, more visible, much lower priority symptoms take up much-needed resources.

Having a straightforward process for classifying inputs and tasks, criteria for prioritisation and making decisions can take some of the stress away from the cyber incident response. Recording all actions taken in an incident log and gathering evidence, such as snapshots of systems and any data that led to a particular decision, will improve the effectiveness of specialist cyber experts’ response and the quality of insight into what is happening. Having plans and playbooks in place and exercising incident response for various digital risks is the best way to prepare your teams across the entire organisation to deal with cyber incidents before they happen.

About the Author

Berta Pappenheim founded CyberFish in 2018 with the mission of helping cyber incident teams increase their effectiveness during crises by applying her expertise in organisational psychology and experience in managing global cyber threat intel teams.

Related: