Dear top manager. Have you exercised your cybercrime crisis management?

It's easy to be struck by fear when the topic of cybercrime comes up. It's both an unsightly and complex scenario that may impact reputation as well as the bottom line when a company is hit by a cyber attack. So what do you do if it happens to your company? We have talked about this with to Michael Sjøberg, who helps companies manage the crisis when they are in the midst of it. Fortunately, you can prepare rather specifically to stand firm if the worst should happen.

Cybercrime and cyber attacks may change reality for any company in an instant. Often, the consequences are overwhelming, and knowing how to best prevent an attack can be equally daunting. What exactly does an attack entail when a company is caught in the crosshairs?

"When we talk about a cyber attack, it's typically a ransomware attack where the criminals have infiltrated the company's network. It's the worst type of attack a company can face. The consequence is often a form of extortion because personal data or contracts with confidential information have been stolen," says Michael Sjøberg, Chief Hostage Negotiator at Delta Crisis Management.

"The way it happens is that, first, a ransomware group steals a large amount of confidential and sensitive data, then encrypts the company's servers so they can't be used, and finally leaves malware, which is a virus that encrypts the stolen data, along with a ransom note, which is a type of threatening letter. And that's when the trouble and crisis management begin."

And when Michael Sjøberg uses the word 'group,' it's no coincidence. Forget about the lone wolf in the basement with greasy amateur fingers. The worst ransomware groups are mafia-like organisations, often based in Russia and run like businesses with hundreds of employees and a high level of professionalism.

"Their sole purpose with the attack is to make money through extortion. You can therefore expect a Russian negotiation culture with threatening and harsh rhetoric."

"Therefore, the first and most crucial step if you are attacked is for the company to assess how severely it has been hit and what data the perpetrators have stolen. Without this understanding, you can't grasp the costs or risks – let alone decide whether the company should consider negotiating a ransom with the perpetrators", explains Michael Sjøberg.

"However, less than 40 per cent of the companies I've assisted have ended up paying a ransom. And all have paid significantly less than half of what the perpetrators demanded. This is because the company positions itself to regain control, which is absolutely crucial."

When Michael Sjøberg receives a call, the crisis has already occurred. In fact, most companies are caught off guard by the system that needs to be activated, he explains. Often, their crisis management plan is only equivalent to the company's technical ability to return to normal operations.

"An IT contingency plan is not sufficient if the entire business is disrupted for a period, which can be the case with a cyber attack. A ransomware attack is a crisis situation for the entire company, and the management must deliver extraordinarily effectively."

According to Michael Sjøberg, the company's management must therefore have a new layer of crisis management. As management, you need to coordinate the following four tracks that together constitute the company's crisis plan:

1. IT: Must stop the incident and begin recovery from backups (if they haven't been compromised). IT must ensure that the company restores data and systems and investigate how the criminals accessed the network.   
2. Communication: Must have a plan to ensure that the company's reputation remains intact. Who are the key stakeholders to communicate with? And what exactly do we communicate?   
3. Legal and Finance: Must know what's in the company's Service Level Agreements and understand the financial consequences. They need to report the attack to the Data Protection Agency. They should also know what the insurance covers – if anything – and where the financial loss is greatest, to minimize risks.  
4. Perpetrator: They need to be managed, and here external help is necessary here. A trained hostage negotiator with experience in ransomware can help validate what the hackers have stolen. A negotiator can assist in obtaining a data list from them, prevent leakage of sensitive data, and keep the door open to the hackers if you need to buy time to decrypt data.

The decisions you need to make as top management should minimize costs across all four areas. This increases complexity, and it's therefore valuable for top management to participate in a crisis task force that can make decisions in difficult situations. This often prompts a cheeky comment from Michael Sjøberg.

"When a company invites me to provide preventive guidance, I like to ask provocatively if their CEO practices crisis management," he says.

Michael Sjøberg's best advice is for the company to develop a crisis plan that defines its highest crisis level – including the body responsible for coordinating the activities, which should involve top management.

"The crisis plan should be less than 20 pages long, written in plain language, and functional in print – meaning it should be short, clear, and operationable. When you're dealing with stolen data, an English-language PowerPoint report won't help you. It's also important that the IT department isn't the one designing the crisis plan", explains Michael Sjøberg.

"Far too many IT departments choose to conduct a crisis exercise themselves, believing that management needs insight into the technical aspects of a cyber attack. However, a crisis exercise should be a learning situation that is both realistic and educational. My view is that management should learn crisis management through exercises facilitated by external professionals who, firstly, have real-world experience with cyberattacks and, secondly, possess strong pedagogical skills."

More specifically, he suggests that companies organise an annual crisis exercise, which can be conducted in half a workday and includes three distinct parts:

The Crisis Case: This serves as the starting point for the exercise and should ideally be a real case from the past year in a comparable industry. Here, task force members practice coordinating and managing the four tracks of the crisis plan.

Debrief: Everyone in the task force discusses what they experienced, what was challenging, and what they learned.

1. Introduction, where all task force members are taught which tools to use when the exercise begins. What should they be aware of and emphasize during the process?   
2. The crisis case, which serves as the starting point for the exercise and should ideally be a real case from the past year in a comparable industry. Here, task force members practice  coordinating and managing the four tracks of the crisis plan.
3. Debrief, where everyone in the task force discusses what they have experienced, what was challenging, and what they've learned.

"Last but not least, it's important for your company to ensure access to the right advisors, such as negotiators, IT security experts, and lawyers, who can assist you if you don't have all the expertise in-house. Ideally, this should be a 24/7 readiness, as cyber crime often occurs at night and leading into a weekend," says Michael Sjøberg.

One of the most painful areas for larger companies' finance functions when hit by cybercrime is if the ERP and POS systems are paralyzed. For many companies, it's a nightmare scenario if the ERP system and its data can't be restored. In fact, many of Finance's headaches are quite practical, explains Michael Sjøberg, mentioning a case where the ERP system was paralyzed by a cyber attack.

"Stress levels were extremely high in that finance department. Very practical but critical issues were overwhelming, such as how do you report to the tax authorities if you can't document a single receipt? Can I just tell the tax authorities that I've lost all my accounting records and receipts in a cyber attack?"

And though the company can often get back on line with 90 per cent of its systems, there may be critical services or systems that can be fixed only through dialogue with the perpetrators.

"Worst case is that the perpetrators have stolen many gigabytes of confidential and sensitive data, destroyed all your company's backups, and encrypted all the systems."

"However, there is also a best case", explains Michael Sjøberg. "That's if your company has good backups, allowing the most business-critical services to be up and running again within 48 hours."

"The key words are good backups and a Business Impact Analysis. The latter is particularly important. It's an assessment of what a cyber attack can cost the bottom line in terms of financial, legal, operational, and brand risks. Top management needs to know this price. It makes it easier to assess the financial consequences of specific decisions when the company is in the midst of a crisis. Conducting a thorough Business Impact Analysis is an important task for the CFO."