A case for the crisis team

What to do if a ransomware attack paralyses business? You can deal with such situations better if you’re prepared. Which is why emergency management should be of interest to both IT security and corporate management.

Germans have become familiar with the concept of a crisis team, especially since the catastrophic flooding the country witnessed this August. Yet people know little about such teams’  structure and methods – especially when an IT-based emergency is involved, and in spite of the fact that fast responses are especially essential in the event of a cyberattack.

All the same, not every serious service disruption represents a crisis. Experts distinguish various categories to reflect an event’s scope and severity. Problems in the simplest category are often called “incidents” – usually issues that an IT department can resolve relatively quickly, using its own resources. These events and their management are covered in a separate article on “Incident Response”. 

Emergency or crisis?

If the incident has a greater scope, or experts need to be brought in, or the damage becomes extensive, the incident becomes an emergency. That’s when an emergency manager comes into the picture. This manager must know the procedures all through the company, and has to be able to assemble the right experts from within the organisation. IT emergency management is usually among the responsibilities of IT security. An event does not become a crisis until it attains such a scope that it might threaten the company’s survival or pose a hazard to people. At this point a crisis team gets assembled. If there has already been an escalation, they will already have been notified of the threat during the emergency phase. 

A disaster is the last escalation stage. This arises when an event causes extensive damage and the threat goes beyond company walls – for instance in a chemical accident. But problems that arise outside a company, like floods, can also constitute a disaster. Germany’s Federal Office for Information Security (BSI) provides a brief overview of these categories (German only). Specialised institutions like hospitals or power stations often have their own categories that differ from those described here.

 

Different areas of responsibility 

An emergency is usually handled by an emergency manager; a crisis team doesn’t come into play until there’s a crisis. Germany’s Federal Office of Civil Protection and Disaster Assistance (BBK) defines a crisis as a “situation deviating from normal that has the potential to cause, or has already caused, damage to legally protected property and can no longer be managed by normal organisational procedures and structures”. In such cases a “specially established organisation” becomes necessary, and a crisis team is one such possibility. It is responsible for strategically managing the company in the event of a crisis. But extensive preparations are needed if the team is to be able to act quickly in such a situation.

 

Composition of a crisis team 

A crisis team should be made up to involve all segments of the company. But that often turns into a political issue – especially if power struggles are going on between different departments. Along with all relevant specialised units, the IT and HR departments should also be represented. The IT Security department will of course be brought in for an IT security incident. But Corporate Communications often gets overlooked – even though it can be an especially important resource in critical situations. After all, employees must be informed about the steps to be taken and the rules of conduct to be followed. Communications must also be maintained with outside entities like the press, suppliers and customers.

It’s also important to appoint auxiliaries – because a crisis team’s work can’t be expected to keep to a “nine to five” schedule. Other duties of a crisis team include regular situation reports, with information and assessments about the current picture; emergency measures should also be ordered, and their implementation should be monitored, especially in terms of their effects. “It is desirable for decisions to be taken unanimously by the crisis team”, the BSI writes. But it also realises this will not always be the case. “Should this not be possible, the team head will decide.”

Author: Uwe Sievers