It’s easy to treat crisis management as an afterthought within the context of supply chain security. Businesses may assume that attacks are unlikely to happen, especially if they’ve invested in risk assessment and mitigation. Just ask some of the major vendors that have been at the root of cybersecurity crisis in the recent past, despite having taken breach prevention quite seriously.
What is a cybersecurity crisis management strategy?
A crisis management strategy provides a protocol for organizations to identify, eliminate and recover from cybersecurity attacks as swiftly as possible; its purpose is to position the organization for minimal impact of a cybersecurity incident. The protocol will unquestionably reduce the stress on your executive and IT teams in a crisis situation and everyone else involved in mitigating an attack.
The protocol typically includes, who does what in the event of a cyber incident, who is in charge of managing the crisis, aka Cybersecurity Crisis Response Team (“Response Team” or “CCRT”). It also covers which systems need to be checked for impact and where the backups are located; which partners, vendors and customers need to be notified and at what stage does the Board of Directors and media need to be addressed and how.
For many organizations, this strategy is not only the responsible thing to do, but may also be a compliance mandate.
Two policies we suggest you look at:
But where do you start? In contrast to many other security protocols – like privacy disclosure requirements, which are usually straightforward enough – there is no predefined playbook you can follow or set of boxes you can check off, to plan for crisis management.
It is therefore up to each organization to research and create their own set of protocols. We’ve highlighted what should be in yours below.
Supply chain security: Your crisis management plan
Step 1: Risk assessment
The first step is to identify your supply chain security risks.
Do this by assessing which regulations and legal requirements your business is bound to when it comes to cybersecurity. You should also evaluate your contractual obligations. Next, identify vulnerabilities that exist within your supply chain security and risk management report. Do these vulnerabilities need to be reported to other vendors within your supply chain? Or can they be easily patched? Finally, examine how a breach may impact your business’s operations.
The easiest way to check your metal here is to take risk assessments test surveys and run some gap analysis – doing so will give you a complete score on where your current efforts stand compared to where you should be and industry standards.
If you find any “show-stoppers,” you must stop your process and fix it before moving forward to avoid failure at a later stage.
With this insight, you can develop a plan for managing the impact.
Step 2: Formalize your security and risk management plan
Once you’ve identified the risks, document them and put them in writing, along with a plan that spells out which steps various stakeholders need to take during an incident to mitigate the risks.
Specifically, your plan should detail:
- Whom – such as vendors, partners, customers, regulatory authorities – you need to notify about a supply chain breach. And, your head of cyber security should also be formalized.
- Which processes various stakeholders – such as executive, IT and public relations teams will follow to do their part in handling the incident.
- How you’ll maintain the necessary level of transparency (which should be defined within your Vulnerability Disclosure Program).
- What information to disclose to the media, and how to disclose it. Not every part of every incident needs to be publicized, but you should think strategically ahead of time about how to engage with the media.
Step 3: Practice cyber drills
In order to ensure your crisis management plan actually works as you intend it to, you should run through cyber drills, which mean engaging stakeholders in responding to simulated incidents.
If you have the resources, you can hire a professional penetration testing team to create a mock incident, then test your business’s response. Alternatively, you may use your own teams to create a simulated supply chain attack, using a red team/green team model.
The more drills you practice, the better, but you should perform one drill annually at a minimum.
Step 4: Make crisis management a collective business responsibility
Next, work to ensure that everyone in the business – not just the IT team and security experts, but everyone from PR and customer relations to sales and marketing, to the C-suite and beyond – understands your supply chain crisis management plan and knows how to play their role within it.
Do this by publishing the process in a place where all stakeholders can view it. You can also ask stakeholders to explain their role in crisis management, based on the published plan.
Be sure, too, that the plan nominates someone to take the lead in crisis management unless your business already has an obvious person (such as a CISO) to take on this role.
Step 5: Leverage crisis management
Finally, to get even more buy-in for the plan and generate business value from it, educate your sales and marketing teams in particular about the investments you’ve made in crisis management.
This is important because sales and marketing teams can tout your crisis management investments when selling your products to other companies that require a high level of supply chain security and risk management. The more commitment you can demonstrate to managing supply chain risks effectively, the better positioned you’ll be to win customers who need strong supply chain security guarantees.
Winning such business is certainly not the only reason to invest in crisis management planning, but landing more customers this way can’t hurt.