Member News

FTI: Cyber Preparedness in the Midst of COVID-19

May 22, 2020 |

Why every organization should be thinking about their cyber preparedness now – even in the midst of a global pandemic.

As storefronts shut down, supply chains freeze up, consumer behaviors transform, and the world’s workforce goes remote, most organizations across the globe are facing major disruptions and are currently in crisis mode.  This all means that business continuity plans and crisis communications playbooks, are likely coming off the shelf and being put to use.

But what happens if, in the midst of this global pandemic, your team is faced with an unexpected crisis to juggle? A crisis that, like COVID-19, could very well determine the future and/or solvency of your organization? If you think it’s unlikely, think again.

COVID-19 Cyber Attacks & Increased Organizational Risks

Amid COVID-19, cyber attacks – particularly targeted phishing and ransomware incidents – are surging. Just last month, we saw the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), together with the UK’s National Cyber Security Centre (NCSC), issue a stark advisory. It warned businesses and individuals of the uptick in cyber attacks, saying that malicious actors are “likely to continue to exploit the COVID-19 pandemic over the coming weeks and months.” This is no surprise. Threat actors look to capitalize on chaotic situations, like the one we’re living through, where the collective attention of corporates and employees alike is focused elsewhere, the usual hyper-sensitive guard against potential cyber ploys might be let down, and the reliance of the global population on technology to stay connected is at an all-time high.

COVID-19 cyber attacks exploit the unique behaviors and trends that mark this pandemic: a remote workforce, financially-stressed industries, and highly-strained employees. As businesses shift to teleworking, global collaboration platforms like Microsoft’s Teams or Zoom have become targets. Even the virtual private networks (VPNs) most organizations deploy to add another layer of security have fallen prey to bad actors.  And given the massive disruption around us, the typically vigilant employee is more susceptible to clicking on a malicious link that contains malware, or falling for social engineering attempts, that they otherwise might have avoided or reported. Organizations are facing increased cyber risks on a variety of fronts, and – while firing on all cylinders to confront the massive disruption caused by COVID-19 – they must be prepared to respond to a cyber breach.

Importantly, the way that a company responds to these types of cyber incidents can have a significant impact on its financial standing, operations, and reputation – all for better or worse.

Your Next Meeting Invite: Virtual Cyber Incident Table-Tops

So, although it’s tempting to put off that latest cyber drill you might have been planning given the severity of the COVID-19 situation, there is not a more opportune time to stress test your organization’s cyber readiness. Cyber incidents almost never happen while teams are sitting together under one roof, focused solely on the matter at hand like when they are normally exercising crises scenarios. These attacks happen in the middle of chaos, such as what we are facing today. And if you can successfully mobilize your teams to respond to and navigate a cyber threat in these worst-case scenario conditions while working remotely – you better believe they’ll be equipped to successfully do it when “business as usual” resumes.

While cyber incident preparedness requires a number of proactive measures, one key way to prepare is through virtual cyber incident simulations. Below are a few tips to help ensure your virtual table-top exercise is effective, impactful, and resonates with your teams.

• Don’t underestimate the element of surprise. We always say, practice like you’re going to play.  You don’t get a heads up about a real cybersecurity incident – you find out in heat of the moment, when there is an immediate need to respond.  Send out invites for your drill five minutes before it’s about to happen for an added layer of real-life wargaming to your simulation. Ensure that your core crisis team members – and their alternates – are invited.

• Be realistic. Craft your table-top exercise around the cybersecurity threats that are most likely to impact your business or that would be particularly detrimental to your operations or assets. Include external factors – such as COVID-19 developments – as added stressors that could impact decision points in your drill.

• Bring in the experts. Having a third-party help to facilitate your table-top exercise – even virtually – can relieve management of the pressure of planning this drill in the middle of the COVID-19 crisis. Often times, these experts – whether law firms, crisis communications agencies, or forensic teams – can provide an extensive debrief post-exercise with your teams to assess what went well and where there is room for improvement. In our experience, we’ve found that having a neutral third-party voice in the room is critical to conducting an impactful preparedness exercise and ensuring buy-in from across the business.

• Set expectations from the top-down. Get buy-in from your management teams and leadership so that everyone takes it seriously and understands that cybersecurity is a company priority – even during these uncertain times. Include relevant leaders from the C-Suite or Board of Directors in the drill, if appropriate. Similarly, ensure that escalation protocols – such as Board of Director or certain committee updates – are considered as part of the exercise.

• Think beyond the immediate scenario. Cyber incidents can be slow burns, and often times waves of a secondary crises may break after the initial incident is remediated.  These can come in the form of government investigations, leaks, regulator inquiries, class action lawsuits, negative media stories, and more. What external support will your teams need to help to mitigate these?  Who is on point from your team to pull in external counsel, forensic investigators, call center support, and other important assistance? Make sure those factors are considered and discussed during your table-top simulation.

• Be mindful about what is privileged and what is not. During COVID-19, the inability to huddle in a war room might make it more tempting to put things down in writing that you typically would avoid during a cyber incident. Always be mindful that your communications could be considered discoverable, ensure external counsel is involved, and conduct business by phone as much as possible. Resist speculating about what happened or discussing potential vulnerabilities that might have led to the breach in writing. Setup dedicated channels for your teams to meet and make decisions securely.

• Perform a gap analysis post-exercise. Assess what went well and where there is room for improvement. Document any weak points in your exercise.  Assign follow-up work to ensure that the exercise was a good use of time – whether that’s strengthening your response plan or building out roles, responsibilities, escalation protocols, or creating dedicated crisis communications channels. Put a follow-up meeting on the calendar to discuss assignments and ensure that they are actioned so you can include them in your next simulation.

Remember – nothing is going to go perfectly during a cybersecurity table-top exercise.  One of your team members might miss the invite. There will be some sort of technological failure. You’ll spot an issue where you didn’t think you had one. But this is the point of table-top exercises, and these are the aspects that will ultimately better prepare your teams for a real-life incident.  It will make them stronger and it will push them to grow and evolve. So, take any missteps to heart. Learn from them. That’s the whole point of practicing.

Cyber attacks aren’t being put on hold because of COVID-19 – and you shouldn’t put your preparedness plans on hold either. We must be hyper vigilant, extra cautious, and ultimately, not let one crisis enable another.

Meredith Griffanti, Managing Director
David Dunn, Managing Director

Compliments of FTI Consulting – a member of the EACCNY.