Critical decision making during a cybersecurity attack
It seems that we can’t go more than a few days without reading about another municipality that has been victimized by a cybersecurity attack. Making matters worse, such news items invariably go on to say that the municipality “had no other choice” than to pay a ransom to get their systems back.
Cybersecurity response protocols typically include between seven and 10 key decisions. However, there are two critical decisions that your organization would likely face during a cybersecurity attack.
Each example below offers a default position solely to demonstrate how the process works. Individual default positions may differ.
Key Decision #1: Will you pay ransom?
This is the elephant in the room and the decision that everyone wants to address first in every cyber exercise. For the purposes of this article, let’s take the position that no, we will not pay a ransom unless it becomes in our best interest to do so. That means there must be a compelling business case to move the organization toward paying a ransom. Here are some considerations that might change your position:
- Your cyber insurance provider. It’s important to understand the insurer’s perspective on paying ransom. You need to understand who makes the final decision.
- What if the ransom demand poses a credible threat to public safety or to one of your employees? If there is a broader risk to public safety, the decision may be taken to a different level.
- What if there was credible evidence to support the hacker’s claim that your data has been stolen? What if the hacker included a sample of the stolen data as part of the ransom demand? Would it change your perspective?
- If you can recover the locked systems yourself, you would be less likely to pay the ransom. But what if you were unable to recover lost/compromised data/platforms? Would that change your position about paying the ransom?
These are the types of considerations that should be built into a Cyber Response Plan so that the team is prepared to respond to this critical decision. Your municipality may have additional considerations.
Key Decision #2: Should you engage law enforcement?
This is more complex than you might expect. Your gut may be telling you that you should engage law enforcement every time. But there are several things to consider before making that decision.
For this article, the default position is that the organization is willing to engage law enforcement if necessary, but the decision will be made on a case-by-case basis to maximize flexibility and appropriately manage risk. This may sound wishy-washy, but that’s exactly why ample consideration should be given to these points ahead of time. Determine your position now, long before you need to make the decision.
You would likely lean toward engaging law enforcement when:
- the perpetrator is known to you (often the result of an inside operation where attribution is known);
- you plan on taking legal action against the perpetrator;
- the attack also threatens public safety or national security;
- there is clear evidence of a criminal act, such as theft; or
- there is a threat to infrastructure such as water supplies, treatment plants, electrical grids, etc.
Remember, reporting the incident to law enforcement doesn’t change your obligations to manage the incident internally. Law enforcement is not your cyber nanny. They are not going to retrieve your data; their focus is on catching the bad actors.
Benefits to a Laid-Out Approach to Cybersecurity
These are examples of the type of questions to be considered in cybersecurity response plans. This enables the leadership team to understand their position before the crisis occurs and gives them the opportunity to work from a position of strength.
As with any response plan, it must be practiced. A practice exercise stress-tests the principles of the Cyber Response Plan to see how they would apply in a real-life scenario.
There are many benefits to laying out a principled approach that gives consideration to likely decisions that your team will face during a cyber attack. The effort you put into this will pay dividends down the road. MW
✯ Municipal World Insider and Executive Members: You might also be interested in the full version of this article or in Sean Meyer’s article: The reality of municipal cybersecurity – be prepared. Note that you can now access the complete collection of past articles (and more) from your membership dashboard.
Mark Hoffman, MBCI, CBCP, is a senior crisis management and business continuity consultant with 20 years of cybersecurity response and crisis communications experience. Mark has experience in both the public and private sector.
Related resource materials: