I am sure that many people consider their organisation’s response to a Cyber Attack to be firmly the responsibility of the IT department. At best this is short sighted, at worst it demonstrates ignorance.

Let’s go back a bit. Last year British Airways was subjected to a cyber attack that resulted in the theft of customer credit card details between specific, certain dates. When I contacted my credit card company they already had actions underway to manage the potential impact. This all sounds simple enough but it is important to remember that this could only have come about through communication, decisions and above all else, action. We may never know for sure whether it was an established process or just action determined at the time but it happened. Good.

So, recently, when I ran a cyber-attack exercise with one of my clients’ Crisis Management Teams I designed it to go beyond the IT response. Of course the IT members were in the room and they quickly got into containing, investigating and preventing further attacks as well as determining the full scale and nature of the impact. I kind of expected this.

What I was really interested in though was the response by the ‘operational’ team members. What would it mean for them? It’s always interesting to see how exercise participants react. Exercises can sometimes fall into the trap of ‘management by committee.’ Not so in this case. Depending on the scenario, different team members may need to take the lead in managing the situation. So faced with this particular scenario, up stepped the Head of Customer Services and, fair play to them, they owned it and directed the response. They were the expert, it was their territory, they wanted it.

They quickly put a plan of action together and pulled in help from IT, Communications and the other operational teams to ensure there was a clear and consistent message and approach for all contact (proactive and reactive) with customers. Resources were pulled from non-critical teams in anticipation of increased call volumes and the Business Impact Analysis was used to good effect in pushing back on non-critical business activities.

They did well. I love working with good people!

The exercise was a good example of divide and conquer. The IT team had lots to do. The customer facing teams also had lots to do. Communications team had lots to do. There was pretty much something for everyone!

In the follow up actions after the exercise, improvements were made to the Incident Management procedures, particularly for incidents involving cyber-attacks to better ensure that all relevant areas of the organisation were engaged, informed and ready to respond to such events when necessary.

For me, the value of having the right people on the crisis team was once again highlighted i.e. people who know the organisation, understand it’s stakeholders requirements and expectations and have the ability and confidence to get stuff done.

So, when you are next considering an exercise involving a cyber-attack take it out as far as you can, customers, media, staff, suppliers, partner organisations and so on. There’s lots to be done. Lots to practice.