Action Steps for Threats against Cyber Attack
Description of Crisis
A cybersecurity event is a cybersecurity change that may have an impact on organisational operations (including mission, capabilities, or reputation)
This playbook is a training aid for Module 2 Session 2 of the CM-300/ 5000 Implementer/ Expert Implementer Course participants to attempt the CM plan development assignment.
Scenario: A ransomware attack, locking business-critical data and disrupting services essential to your organisation's operations
Action Steps
Pre-Crisis
Before the crisis hits, the organisation should make sure to:
Explain to the crisis management members the threat (ransomware, phishing, etc) and how it works.- Establish a cybersecurity event response guideline.
- Maintain up-to-date critical contact information (service providers, additional resources, third parties intervening during a cybersecurity crisis, etc).
- Identify alternative methods of communication in case virtual meetings are not possible and business units if emails are unavailable (conference bridge, physical command centre, etc.).
During-Crisis
The crisis management team should consider the following while managing the crisis:
- Rely on the cyber event response team to obtain updates on the situation (technical response);
- Gather information on the cyber security incident;
- Follow cyber response guidance described in the Cyber Event Response handbook;
- Assess the impact on operations (current and imminent):
- Identify which critical systems and data are affected;
- Identify what critical operations are or will be interrupted;
- Communicate with affected business units
- Determine if BC Plans and manual workaround should be activated
- Assess the impact on employees (if HR data is impacted);
- Identify what types of HR data have been affected
- Identify which employees have been affected
- Provide support and, if needed, offer credit bureau services to affected employees
- Communicate with affected employees and explain to "ABC Company" action plan.
- Assess the impact on suppliers and partners (If suppliers and partners are affected)
- Identify what types of data have been affected
- Identify which suppliers/partners have been affected
- Communicate with affected suppliers/partners and explain the "ABC Company" action plan.
- Assess legal and regulatory impacts;
- Identify objectives for success (e.g., recovering operations, data, etc.)
- Communicate with relevant authorities
- If needed, communicate with a third party to help manage the situation
- If applicable, liaise with a cyber insurance supplier;
Post-Crisis
Once the objectives for success have been met and the crisis has been resolved:
- Identify gaps and action plans to improve IT security and awareness
- In a post-event report, identify what went well and what went wrong in the crisis management response and establish action plans.
- Communicate the post-event report to relevant stakeholders.
More Information About Crisis Management Courses
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].
![[BL-CM] [5] Register](https://no-cache.hubspot.com/cta/default/3893111/82024308-16f4-4491-98be-818a882c6286.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
