Communication, the key asset of crisis management – InCyber News

Communication with the outside world cannot be improvised

During a major cyberattack, communication with the outside world cannot be improvised and must be as transparent as possible. Internal communication concerns the employees, but also the company’s Executive Committee.

On January 30, 2020, a massive cyberattack hit the entire Bouygues Construction group. 60 countries, 3,000 servers and 60,000 employees are affected. One of the first actions of the IT department is to “manually” disconnect the entire IS. “This decision has directly impacted activities as essential as payroll or site management… But it saved the company by allowing it to make a precise inventory of the attack and to avoid too wide a spread of ransomware,” says Thomas Degardin, currently cybersecurity coordinator at the Bouygues group, but CISO of Bouygues Construction at the time of the attack.

Once the surprise, and for some the shock, has passed, the crisis management processes are quickly put in place: creation of a “resources” unit, which will manage up to thirty “streams” in agile mode, organization of teams in 3×8 (organization that will later be relaxed), appointment of people dedicated to the recruitment of cybersecurity experts throughout the France, opening of a “strategic” crisis cell…

As for the communicators, they also get into action quickly, whether for the internal company or for all the company’s stakeholders. “I often quote this sentence from Cardinal de Retz: ‘Honesty is the supreme skill’. In a crisis situation, the basis is not to lie. Cookie-cutter phrases such as ‘Everything is under control’ do not reassure anyone. Without necessarily telling all the facts, you have to explain what is happening, with a lot of education, because your stakeholders do not necessarily understand your business,” explains Emmanuelle Hervé, director and founder of EH&A Consulting.

Only honest and transparent crisis communication pays off

Lilian Laugerat, a former GIGN officer and director of Solace, agrees: “In front of you, you have a cyberattacker who will not hesitate to say what he wants to say and who knows your flaws. He knows that you are afraid to communicate. The question is therefore who will speak first. The answer is simple: it’s best if it’s you. You have to say what you know, but also what you don’t know, if there is a ransom or not, if you may pay it… In any case, you will never be reproached for having told the truth.”

And Stéphanie Ledoux, director and founder of Alcyconie, adds: “We must only communicate on proven and factual elements, not suppositions. Otherwise, you will have to justify the reasons why what you said did not happen, which will make you enter into defensive communication and ultra-justification. In addition, it is important to know who you are in front of you: what is the attacker’s modus operandi, is he used to disseminating stolen data, bluffing, is he practicing humor or cynicism… All this information is important to adjust the course in your communication. »

What to do in the event of a data breach?

In the event of a data breach, it is imperative to inform the relevant stakeholders. Here again, the discourse of truth is essential. “First and foremost, your customers expect transparency from you. Of course, at first, they are not happy, but in the end, your approach makes you gain credibility. I have the case of a start-up that was the victim of data exfiltration. We warned his customers on Tuesday. The next day, the hackers would contact them as well. Anticipating things most often surprises cyberattackers and makes you gain confidence in your customers,” notes Lilian Laugerat.

Lying, or failing to communicate information as strategic as data exfiltration, is a risky bet that is likely to backfire on the company that is the victim of the cyberattack. “We have the specific case of one of our clients who didn’t dare to say ‘we don’t know’ about a possible data exfiltration. We were still investigating whether the ransomware had exfiltrated data when our client changed our ‘we don’t know’ to ‘there was no exfiltration’. As a result, two days later, LockBit claimed to have 4 TB of data from this company, which we were then able to verify using firewall logs,” says Wandrille Krafft, DFIR Manager and SSI Engineer at Lexfo.

Do not neglect journalists, especially the specialized press

Another parameter to take into consideration is the expertise of journalists specializing in cybersecurity. “These journalists are often researchers specializing in cybersecurity, they know where to go for specialized information. So they ask more specific questions, and know very well that, depending on the attackers, there is a high probability that there will be a data leak. If you don’t talk to them or if you avoid sensitive issues, they will be all the more tenacious and will indicate in their article that you did not wish to express yourself on these subjects,” comments Stéphanie Ledoux.

Transparency has other benefits: the feedback from an organization that has been the victim of a cyberattack always serves other companies well. “In the immediate future, in the heat of the moment, your speech of truth is useful to all your partners, who can trigger, if necessary, crisis management plans on their side. Afterwards, testifying and explaining what worked, or didn’t, in your crisis management is extremely beneficial for the entire community of companies and cybersecurity players,” adds Wandrille Krafft.

Communicating with employees… And the Executive Committee

Finally, we must not forget the internal aspect of communication, first and foremost with employees, most of whom experience the cyberattack as a real trauma. “When an organization is cyberattacked, it is a real earthquake that occurs for all employees. Beyond the purely technical aspects of the attack, the psychological and HR impacts must be taken into consideration in crisis management, in a holistic manner,” says General Marc Watin-Augouard, founder of the FIC (International Cybersecurity Forum, renamed the InCyber Forum).

“HR monitoring is indeed key during a cyberattack. It is very important to mobilise HR teams, and even occupational medicine, rather than sending them home, to monitor each individual and find out how each employee is feeling during the crisis. It also makes it possible to plan back-ups if necessary,” adds Gérôme Billois, cybersecurity and digital trust partner at Wavestone.

Another population with which it is necessary to communicate: the Executive Committee. “When we were attacked in 2020, Emmanuelle Hervé intervened with the CEO of Bouygues Construction to tell him that the crisis was going to be long. This paid off because, on D+4, he told his Executive Committee: ‘Organise yourself on the sites without IT, it will last a long time’. This took a lot of pressure off us and we were able to manage the degraded mode in a more serene way,” recalls Thomas Degardin.

Sometimes, between the IT crisis unit and the strategic crisis cell, the appointment of a liaison officer is necessary. “This person spends his time translating. On the one hand, it provides the Executive Committee with essential information, without jargon, so that managers know how the crisis is evolving. On the other hand, it receives the strategic priorities of the Executive Committee and translates them to the IT crisis unit. This frees up everyone’s time and makes communication more fluid,” says Emmanuelle Hervé.

“A rock, a lighthouse, what do I say, an omniscient person!”

The last word goes to Thomas Degardin, who advises all CISOs to prepare, in the event of a major crisis, to become a mix between a rock, a lighthouse and an omniscient person.

“The rock, because you will have to make decisions that are sometimes very structuring, such as temporarily blocking 4,000 employees. You will inevitably make mistakes. So you’ll have to be very solid. The lighthouse, with always a smile on your face, because it’s a key element of motivation for all teams. Omniscient, because you will become an ‘expert’ in all existing technologies and solutions. You will have to answer dozens of questions, sometimes without knowing whether you are right or wrong,” concludes the former CISO of Bouygues Construction.

Article written by Fabrice Deblock for InCyber News.