BLUF

In a cyber-compromise, security isn’t the only risk to consider. How organisations communicate with one another during a cyber incident may impact future relationships. A few considerations taken during another’s time of crisis might limit reputational damage.

Background

In cyber, we are concerned about crisis incidents and how we might be impacted. Most we encounter are compromises to other organizations, with the possibility of affecting us. Our concerns with data connections or repositories create real threats to our data and clients when others are compromised. How we deal with engaging them is often not considered, as cyber divisions within organisations are often not externally facing.

In looking at the organizations breached, two categories are of major significance – clients and suppliers. Clients as they are the bulk of what makes us what we are. Suppliers as they make it possible for us to operate. Sometimes they are both. In either case we are dealing with an organization in turmoil, with all hands on deck and few (if any) truly knowing what’s going on. Their communications need a limited narrative, as they don’t likely have time to respond to every organization that comes calling. We are a big and significant enough part of their operations they likely will take our calls, so having fifty different people calling will put additional strain where unnecessary.

In communicating with clients, we may have concerns about data they have residing on their systems. Past that, they owe us nothing. They give us their money. Further information would be at their discretion, with legitimate reason not to tell any more than we would find on media. If we could help them, they might give us more. If there were Continuity of Business (CoB) services we established with them, they might tell us more. Otherwise, we need to show respect for the relationship, and keep said respect at the fore of any interactions we have during their trying times.

With suppliers, we can ask more forcefully, as what happens to them may impact us – either directly through our networked connections, or indirectly through the loss of their services. We need to know if there is the potential for lateral transfer into our systems, what of our data has been exposed, the long and the short. This is part of the agreement between us. They know they are expected to answer, in many cases it may take time to have those answers. We may have to work a CoB plan of our own and how to deal without.

The paradox exists when they are both client and supplier, as now we have to tread with more care (the same for dealing with FIs as both client and supplier), taking into account our business relationships with them. Are they a major client? Are we for them? If we are forceful with our correspondence, who from their end will be looped into the communication? Do we want their seniors taking offense and calling out ours? I ask because these questions have been overlooked with potentially harmful results. Recently.

In every case, this has the potential for opportunity.

Looking at how we build Operational Resilience, we need to make considerations for communication channels and the roles we seek to play within them. Just how much dread do we want victim organizations to have when we reach out to them? Can we turn this into a saving grace for those we do business with? Can we build our communications to make it so they reach out to us first? What would it look like?

The more we think of possibilities in our cyber ecosystems, the more we uncover the means to build investments.

-scl