Financial losses from cyberattacks have reached 10 trillion euros globally. If cybercrime were a country, it would be the world's third-largest economy, right behind the United States and China. For Finns, it's easier to grasp the scale when considering that the value of cybercrime is over 100 times Finland's state budget.
A cyberattack can be as difficult to detect as a stealthy murder. The situation is often unclear for a long time: investigations are tedious, and the culprit may never be found. Meanwhile, personal and financial damages can be significant. In the worst case, an organization’s operations may come to a complete halt when attackers steal or modify confidential information, compromising the safety of stakeholders.
But nasty effects of cyber crises don't stop there. Public handling of the situation in the media can permanently erode an organization's reputation. If the crisis spirals out of control, the company can easily find itself in a public storm, where years of building trust with stakeholders simply vanish within days.
Can we survive a severe cyberattack?
Yes, it is possible to survive a severe cyberattack, but only by preparing in advance. In a crisis, time and expertise are your most valuable assets, and neither can be acquired once the crisis is already unfolding. Therefore, organizations must prepare both to prevent crises and to simulate potential situations. The European NIS2 directive, which comes into force on October 17, 2024, also requires companies to be prepared for cyber threats
Additionally, it's essential to recognize the emotional aspect in a crisis. Emotions like fear, anger, and despair can impair decision-making and lead to mistakes. While emotions are part of being human, they must be identified and controlled, especially during a crisis.
How to prepare for a cyber attack?
Preparation, quick response, and effective communication are key to managing cyber crises. Here are a few steps an organization can take to improve its resilience:
1. Mapping risk scenarios and simulating crises: Pre-simulated crisis situations help organizations identify risks and prepare for their potential realization. Simulated scenarios also provide valuable emotional experience, which can prove invaluable in a real crisis.
2. Building trust capital: Does your company have sufficient trust from its stakeholders? Strengthening these relationships during good times helps maintain them during a crisis.
3. Forming a crisis team: A pre-selected and trained expert team is crucial in crisis management. Crisis leadership is a specialized skill, and not every leader is naturally suited for it. That's why training is essential.
4. Creating pre-planned communication lines: What will you say when you don’t know what to say? Pre-designed communication strategies help in delivering messages effectively amid uncertainty.
5. Prepared action lists: Ready-made action lists help control emotions and ensure efficient operations in a crisis situation.
Our recommendation is to prepare for the worst likely scenario. Only by doing so can an organization handle a crisis effectively and maintain its operational capability.
Netprofile's H72 model – Supporting cyber crisis management
The internationally recognized H72 model, developed through the PrivacyRules alliance, helps organizations prepare for cyber threats and manage crisis situations effectively. The key principles of the model are:
Simulation exercises are an essential part of the H72 model. They help organizations identify weaknesses, prepare for potential crisis situations, and improve their readiness to handle a crisis effectively.
Cyber crisis simulation ensured crisis preparedness
In November 2023, we led an international cyber crisis simulation for members of the PrivacyRules alliance. Participants included data protection lawyers, IT and cybersecurity experts, and communication professionals from around the world. The exercise highlighted the importance of continuous training and preparedness to effectively manage cyber crises.
Gene F. Price, leader of Frost Brown Todd’s cybersecurity and data privacy team and a former deputy commander of the U.S. National Security Agency’s (NSA) Navy Cyber Command, participated in the exercise and said:
“The simulation demonstrated the importance of organizations staying up-to-date with technological developments and ensuring that both senior management and operational leaders prepare together. The exercise reinforced the critical fact that continuous training and preparation are essential for successful crisis management, whether the challenges are legal, technical, or military. Effective crisis communication and stakeholder management are not intuitive skills. They are competencies that require ongoing training to prevent catastrophic events – especially when facing a cyber threat that can lead to shocking losses and global consequences.”
Recognizion to the H72 model in the communications field
The name H72 comes from the 72-hour notification requirement for data breaches under the EU’s General Data Protection Regulation (GDPR). It has proven to be an effective tool in improving organizations’ cyber crisis preparedness, crisis management, and communication. In recent years, the H72 model has received broad recognition and won several awards:
Are you prepared for cyber crises? If not, we'd be happy to tell you more about our H72 model. Together, let's take your organisation to the next level of preparedness!