When the hacker strikes, the virus brings the e-mail
system to a halt or an employee leaves a laptop in a taxi the
people leading the response are your information security team.
Guided by the crisis management team, they halt the breach,
identify the impact and, finally, put processes in place to avoid
the same thing happening again, writes Paul Maloney, managing
director of
Technology Management
and Consultancy.
But what happens when it is a PR crisis? Do you involve your
information security team, or is it left to crisis management and
the PR people to resolve?
If a senior member of staff is photographed by the local press
in a compromising situation, or bad news breaks about a deal in
progress, you would expect someone to handle the press calls and to
fight back with positive information, but would you put your
information security and IT people on alert?
During a public (or private) crisis a large number of people
will be trying to obtain information on what is happening and, like
the iceberg, only a small percentage of this will be visible things
like phone calls to the switchboard or requests for information
through the correct channels. Advance warning to the information
security team means they can prepare responses, alter their logging
profile to concentrate on key areas and review specific
vulnerabilities in relation to the threat.
If someone has hired a hacker to break into the network and
steal data about the crisis, it is likely the information security
team will have a visible role in fighting the crisis, but they can
have a more passive role as well.
The team can start by doing a quick risk assessment, looking at
vulnerabilities and threats, and review the footprint of
information relating to the crisis. Does the website need changing
to remove information, the e-mail scanning software configuring to
spot new keywords, or the web filters changing to ban particular
sites?
A useful task could be a timely reminder to employees about the
status of e-mail, phone call and web traffic monitoring within the
organisation. This may just be enough to put people off revealing
sensitive information about the crisis.
Information seekers may use social engineering techniques to
masquerade as a friend, relative or business associate of an
employee and ask them to reveal information about the crisis. These
communications (via e-mail, social websites or phone calls) feed on
the human desire to gossip and will not ask direct questions. A
reminder about these techniques and to check the validity of any
communication could come from the information security team and
reinforce the existing training.
By analysing the traffic into and out of the organisation the
team can aid other departments in their responses. If the team see
a large increase in activity to a particular website, the PR team
could access the site and provide positive information postings in
response. If the door system is showing an increase in footfall in
and out the building, it may be the physical security team can post
some reminders on the entrances about security.
By analysing against historical trends the information security
team can support all the other departments, but only if they have
been asked to and the communication structure is in place prior to
a crisis. In the modern corporation it's unlikely that "careless
talk costs lives" but it is possible for careless e-mails to cost
jobs.
Security Zone
Security Zone is a regular series in Computer Weekly covering
all aspects of IT security management. Each article is written by a
member of the International
Information Systems Security
Certification Consortium (ISC)2.
Read more Security Zone articles >>
