Cyber Crisis Management: A Joint Responsibility
In two-thirds of organizations, it takes a minimum of two hours to take action after discovering a cyber incident. For one-fifth of organizations, it takes more than four hours. This information comes from the international study Cyber Resilience 2016 by the Business Continuity Institute. Considering that cyber incidents are having an increasingly significant impact, it's essential to reduce this response time. But what causes so much time to be lost?
n two-thirds of organizations, it takes a minimum of two hours to take action after discovering a cyber incident. For one-fifth of organizations, it takes more than four hours. This information comes from the international study Cyber Resilience 2016 by the Business Continuity Institute. Considering that cyber incidents are having an increasingly significant impact, it's essential to reduce this response time. But what causes so much time to be lost?
In my experience with conducting crisis exercises, time is often lost because those involved believe that cyber incidents are solely the concern of the IT department.
This notion is primarily held by IT departments themselves. People naturally want to be the heroes, and IT professionals see a cyber incident as the perfect opportunity to demonstrate their value to the organization. For example, during a crisis exercise, an IT professional once told me, "We won't communicate until we have a solution: I'm not available until then." The business also has a tendency to leave the resolution of the incident in the hands of the IT department. After all, they originally outsourced that responsibility for a reason.
However, IT professionals primarily have the knowledge and skills to resolve the problem from a technical perspective, while a cyber incident can escalate into a cyber crisis with significant consequences, including financial and reputational damage. These are issues that can only be managed by the business itself. Therefore, in the event of a cyber incident, damage is minimized as much as possible when all relevant parts of the organization work together from the very beginning.
Effective cyber crisis management requires a clear process and specific agreements. It's not desirable for people to have to figure out who does what during a crisis. Many things can go wrong in such a situation, such as miscommunication, unclear roles and responsibilities, a lack of decisiveness, and autonomous actions, among others.
My advice is to practice, practice, practice. Not only does this significantly contribute to awareness of cyber incidents, but it also makes the desired collaboration a matter of course, with everyone knowing their role. Therefore, exercising is an investment that always pays off. An exercise does not need to be complicated or lengthy to be effective; 2 to 3 hours are sufficient for learning and improvement.
In conclusion, let's work together to ensure that a response time of 2 hours becomes the exception and not the rule in the next study!