Most information crises arise from a natural disaster or a cyberattack, but in today’s hyper-connected world, a crisis can strike from anywhere and when you least expect it. In fact, something as seemingly benign as a social media post can be the start of a systemic “disease” process that quickly spreads across an organization’s entire infrastructure.
“We know it can happen because we’ve seen it happen, and we’ve been on the frontlines helping organizations that aren’t prepared for a crisis manage their way out,” says Gaby Batshoun, president and founder of Global Business Solutions (GBS).
The risks and hard dollar costs from an information crisis can be stingingly real – especially for small/mid-sized firms. In fact, 95% of SMBs that are compromised and have a significant data breach are out of business within six months because of FBI fines and fees. According to a 2018 IBM study entitled Cost of a Data Breach: Global Overview, the average cost per lost or stolen record is $148. “The general public hears the headlines about companies like Target and Equifax paying millions of dollars, but they don’t realize where the fines come from – these are directly attributable to the number of records the FBI finds are stolen, says Michael Pearson from WatchGuard Technologies.
With decades of infrastructure security experience, GBS knows what it takes to be fully prepared. Since 1995, the Newport-based IT and technology company has been giving companies a fighting chance to not only recover from information crises but thrive afterward. According to Batshoun, there is little doubt that a company’s information infrastructure provides the vital arteries that keep its operations up and running effectively, yet a crisis that impacts that infrastructure is something that few companies are truly prepared for.
So, ask yourself – has your organization taken the necessary steps to be prepared in the event of an information crisis? When a crisis occurs – no matter its source or extent – your first priority always is to re-establish security and return to full operation as quickly as possible. But what are the necessary specific procedures that must be carried out to ensure that happens? How many of your people know precisely what to do in a crisis? Is there a list outlining each person’s responsibility? How will staff communicate with each other if your communication system is down?
You must have a strategic crisis management plan.
“To fight off a crisis takes a passion for being prepared, immediate concerted efforts and intense focus to resume normal operations as soon as possible. And most organizations need help in getting there,” Batshoun says.
His overall approach to information crisis can summed up as follows – effective crisis management and securing the information infrastructure is only possible when everyone involved knows their role, is well-prepared to act and actively contributes.
“Our approach starts with creating a rock-solid foundation for information management, and it has two pillars,” he explains. “Develop and document a comprehensive process to follow, and assign and train a Crisis Response Team.”
Process Development & Documentation
According to Batshoun, documented processes and the specific steps to be taken by each functional department allows the incident response team members the ability to follow a precise plan of action. “This plan can be used as a foundation for training and pre-crisis preparation. The beauty of this plan is that it provides a ‘script’ for actions that must be taken– particularly those that jeopardize a company’s ability to fully control its data and communicate internally and externally. Furthermore, a documented crisis process gives the response team a detailed foundation which provides them the time and perspective needed to act and communicate more thoughtfully.”
Best Security Practices
Crisis plan documentation should consist of written documentation according to individual Response Team function and must be readily accessible to all crisis team members, Batshoun emphasizes. It should also include the following steps:
- Secure the physical safety of all individuals
- Secure the physical security and safety of the building
- Secure the information infrastructure: firewall policies, server and data backup policies, email policies and telephone.
- Secure personal, confidential information of employees and clients
- Secure all intellectual property, trade secrets and high-value information
- Establish and document rules governing email utilization to co-workers and external contacts during a crisis
- Password management – document and share only as appropriate the passwords to business-critical software, cloud-based applications and protected spreadsheets, etc.
Form and Mobilize the Crisis Response Team
A Crisis Response team should include a comprehensive set of internal teams grouped by skill and expertise. For example:
A. Senior Management:
“A core group of senior managers should serve as the communication and final decision-making hub for your organization,” Batshoun advises.
B. Legal Team:
“Because most crises have legal implications, I always recommend to have legal counsel representation during the crisis lifecycle.” If the crisis is the result of a virus or malware attack, he adds, legal counsel must be involved from the start.
All outwardly-focused communication groups must be completely plugged in and know when and how to respond, he emphasizes. “We have found that when a company’s communication system is completely down, chaos quickly escalates. But when a team of company communicators are prepared for a myriad of possible crises, the outward communications are more seamless, timely and valuable.” Although GBS’ core expertise is IT and infrastructure Batshoun adds, he and his staff have gleaned key lessons on how teams work together to manage through it all.
The Crisis Response Team, Batshoun points out, is typically responsible for logging into and managing all social media channels, as well as communication with Google to thwart malicious online activities. “We have seen that the anatomy of an information attack can go as far as to alter the results of Google’s algorithm,” he says. “We’ve seen that through targeted acts, the words Google displays to describe a company can change based on the online and social media conversation. In one case, GBS engineers contacted Google and worked with them to remediate the damage.”
- Technical/IT Team
According to Batshoun, in the event of an information crisis, it is imperative that the technical team be fully engaged, highly trained and experienced. This team acts as the company’s “nerve center,” ensuring the organization’s information resources are secure. Its actions and findings are among the most critical.
“We’ve seen firsthand that a true information crisis directly impacts all components of a company’s infrastructure,” he says. “The core network components and all systems that make up the network, the email system, the phone system – even the company’s website and social media sites – are directly impacted.”
Today, companies of all sizes must have a documented, strategically detailed plan in place for when – not if – a crisis occurs, Batshoun concludes. “This is the world we live in, the reality we live in.”
Most IT departments are over-tasked and don’t have the experience to deal with a true information crisis. That’s why partnering with an IT solutions with crisis management experience and deep knowledge across all technologies is so important. One of GBS’s greatest strengths is working with small- and mid-sized companies, and the IT solutions company leads the pack in optimizing a suite of business-specific technologies for Greater Cincinnati businesses.