Transformation Quarterly

Mastering communications in extreme situations with professional preparation

By Daniela Münster and Peter Gerdemann

Companies no longer ask themselves whether they might fall victim to a cyber attack; rather, it is a question of when an attack will happen (again). The decisive factor is the “how” – both in terms of the type of cyber attack and preparation for it. The threat is now greater than ever. According to Statista, in 2021, 46% of German companies were victims of a cyber attack, with the total damages amounting to 230 billion euros. The trend is upwards, and a large number of cases go unreported.

Overall, organised crime in cyberspace is increasing significantly, with cyber-crime-as-a-service becoming a widespread business model. According to Mergermarket (1) it is expected that global damages will amount to around 10.5 trillion US dollars annually until 2025. Cyber warfare is also becoming more likely. The most common cyber attack vectors are phishing, password theft and identity theft. These open the gateways, often serving as the precursors of ransomware attacks, which continue to rise dramatically. Cyber criminals ensconce themselves in the target organisation’s system and look for possible weaknesses, launching their attack when there is maximum potential for blackmail. Recently, a famous case involved an attack on Continental using the Lockbit 3.0 ransomware. The group of criminals, who are currently amongst the most dangerous and most active cyber blackmailers, stole around 40 terabytes of data, some of it highly sensitive, over a period of several months.

In any cyber attack, the greatest weakness by far lies in the human factor. 85% of all attacks target behaviour at the interface between human and machine. In particular, the significantly increased share of employees working from home has given the cyber crime scene an enormous boost. Many companies have responded by tightening their security measures for employees working from home. However, a survey by the Federal Office for Information Security (2) shows that there are still significant security gaps, confirming the large number of possible gateways.

A cyber security strategy ensures the necessary presence of mind in an emergency

An integrated approach and a common understanding of IT and data security are particularly relevant aspects in corporate security strategies. It is essential to coordinate all measures, with the experts involved working closely together as a team. Besides members of the IT department, experts from the legal department and risk management, human resources and communications should also be involved. External support can provide a further boost to security. Law firms, communications consultancies, specialised insurance companies, service providers with experience in IT and forensics, as well as auditors are a useful complement to existing in-house expertise.

The key goal of a cyber security strategy is to protect assets and minimise the risks of cyber attacks. For this purpose, the strategy must be updated on an ongoing basis and adapted to current threats and developments. What many consider to be a matter of course when it comes to virus protection and firewalls on their private computers applies all the more to sensitive corporate IT and operating technology, which has long since become a worthwhile target for criminals as a result of the digital transformation of production processes. This must all be implemented proactively and individually. Often, fundamental rethinking is needed within the company.

Cyber security must be prioritised accordingly, and anchored in the corporate culture.  Considering the enormous extent of the potential consequences, cyber security is a matter for top management. The executive board must be involved at an early stage with full commitment. To protect the gateways from attackers, the “security staff” need to be strengthened. It is essential to hold training courses on cyber risks and raise employee awareness by sending out test phishing emails, for example. Such measures ensure that employees are continuously reminded of the threat of cyber crime.

At the same time, cyber breach response plans should be developed as part of the security strategy. Having a specific plan in place will ensure the necessary presence of mind for responding calmly in an emergency. However, this is precisely the area that is still in need of optimisation at German companies. Currently, according to Bitkom (3) on average only 54% of companies have such an emergency response plan in place.

Integrated planning within the company can combine risk management with an assessment of weaknesses – particularly through gap analysis and dependency analysis. There should be well-defined regulations for the security of the IT infrastructure and data security, as well as appropriate governance. Further, the development of an early warning system under consistent surveillance of the media and social media can also be useful, as well as appropriate reporting on the latest developments and actors in cyber crime, to identity changes in security risks and provide more effective defence against potential attacks.

Early preparation is key

As Benjamin Franklin once said, “If you fail to plan, you are planning to fail.” This might sound like a platitude, but it really hits the nail on the head when it comes to cyber security. Preparation plays a huge part in the successful management of cyber attacks. Because in an emergency the company is in a state of panic, and has very limited possibilities for action under enormous time pressure. It is usually simply too late for effective countermeasures. The only option available is to minimise the damage.

But this does not have to be inevitable. As a top pritority, employees must be given training at an early stage to raise awareness. By developing a common security culture as part of the corporate culture, security can easily be integrated into the workplace. Commitment on the part of top management and key interest groups is also a vital factor for this strategy to be implemented successfully. Regular technical training and further education can also help protect the largest gateway, the interface between human and machine, and thus prevent cyber attacks.

Emergency response plans are essential for intelligent, levelheaded crisis management. A detailed crisis manual, which comprises all information relevant for emergencies, is at the heart of the plan and provides certainty for everyone involved. In addition to the contact details of the crisis team, the manual should outline troubleshooting measures for each situation, and define procedures and processes. In particular, it should include alternative communication channels, in the event that the IT structure is no longer functional. Also, as much content as possible should be available in draft form, including the necessary approvals – covering holding statements and core messages as well as internal communications, press releases, and information letters to customers. The better the preparation, the faster the crisis team can respond. For effective preparation, this also means that the emergency plans must be thoroughly tested by means of trial runs. A multi-phase approach is recommended here – starting from desktop drills with the central crisis team to discuss the written details and identify potential gaps, and finishing with a complete simulation with practical interventions that prepare the crisis team and top management for emergencies.

The third central pillar of preparation should cover the evaluation of existing IT security mechanisms and, if necessary, implementation of further measures. These include antivirus software and network segmentation, the development of password policies and authorisation management, and the creation of backup copies and processes for data recovery. External IT experts can also help by assessing the relevant systems, from conducting security analyses to simulating cyber attacks.

Keep calm in the event of an emergency

A potential crisis may be identified in advance – there may be initial signs of a weakness, or the development and increasing incidence of new attack vectors. In the event of a cyber attack on the company, which is often initially identified internally, the immediate activation of the crisis team is triggered. Next, it is important to obtain an overview as quickly as possible and initiate the appropriate emergency measures. Limitation of damage and containment of spread in the corporate network are paramount. This means involving specialists who are able to identify and shut down the gateway, isolate the affected systems and initiate further protective measures. Once the system has been secured, the IT system can be restored or reset as necessary. In the event of a ransomware attack, the defence strategy must be weighed up and decided upon. At this stage, it is highly recommended to involve external specialists with appropriate negotiation skills.

In the event of a crisis, the greatest challenge is to communicate both precisely and quickly, even when only limited information is available. Waiting until things become clearer is not an option. Moreover, the order in which communications must proceed is particularly important. According to Art. 33, 34 of the GDPR, organisations affected by cyber attacks must send information to supervisory authorities within 72 hours of the problem being identified, after which the affected persons must be informed – if there is a high risk of violation of their rights. Subsequently, the other internal and external stakeholders must be informed. The messages to be communicated need to be carefully formulated, so that they are effective in reassuring the public without giving too much information to the attackers.

Cyber attacks put companies into situations of considerable pressure, in the worst case culminating in the complete incapacity to act within their usual structures and processes. These are complex, exceptional situations that wreak havoc on everyday business life. It is essential to regain control of the company as soon as possible. For this purpose, all parties involved – from the management to IT, from the legal department to communications – must work together in a composed and coordinated manner. Ideally, such situations would never even come about – thanks to effective preparation and sensible crisis planning.

(1) Study by Mergermarket and Admincontrol: Under attack: Cyber due diligence demands more of dealmakers (Survey of 100 Senior Executives in Investment Banks, Law Firms and Private Equity in Q4 2022)

(2) Survey by the Federal Office for Information Security, survey of German companies who offered employees home-based work (Oct - Nov 2020; 1,000 respondents)

(3) Result of a study on behalf of the German digital association Bitkom, a representative survey of 1,066 companies in all sectors, published in September 2022.

Photo: Gulenok

This article was originally published in German in the online publication, Restructuring Business, February 2023 issue.