When the hacker strikes, the virus brings the e-mail system to a halt or an employee leaves a laptop in a taxi the people leading the response are your information security team. Guided by the crisis management team, they halt the breach, identify the impact and, finally, put processes in place to avoid the same thing happening again, writes Paul Maloney, managing director of Technology Management and Consultancy.
But what happens when it is a PR crisis? Do you involve your information security team, or is it left to crisis management and the PR people to resolve?
If a senior member of staff is photographed by the local press in a compromising situation, or bad news breaks about a deal in progress, you would expect someone to handle the press calls and to fight back with positive information, but would you put your information security and IT people on alert?
During a public (or private) crisis a large number of people will be trying to obtain information on what is happening and, like the iceberg, only a small percentage of this will be visible things like phone calls to the switchboard or requests for information through the correct channels. Advance warning to the information security team means they can prepare responses, alter their logging profile to concentrate on key areas and review specific vulnerabilities in relation to the threat.
If someone has hired a hacker to break into the network and steal data about the crisis, it is likely the information security team will have a visible role in fighting the crisis, but they can have a more passive role as well.
The team can start by doing a quick risk assessment, looking at vulnerabilities and threats, and review the footprint of information relating to the crisis. Does the website need changing to remove information, the e-mail scanning software configuring to spot new keywords, or the web filters changing to ban particular sites?
A useful task could be a timely reminder to employees about the status of e-mail, phone call and web traffic monitoring within the organisation. This may just be enough to put people off revealing sensitive information about the crisis.
Information seekers may use social engineering techniques to masquerade as a friend, relative or business associate of an employee and ask them to reveal information about the crisis. These communications (via e-mail, social websites or phone calls) feed on the human desire to gossip and will not ask direct questions. A reminder about these techniques and to check the validity of any communication could come from the information security team and reinforce the existing training.
By analysing the traffic into and out of the organisation the team can aid other departments in their responses. If the team see a large increase in activity to a particular website, the PR team could access the site and provide positive information postings in response. If the door system is showing an increase in footfall in and out the building, it may be the physical security team can post some reminders on the entrances about security.
By analysing against historical trends the information security team can support all the other departments, but only if they have been asked to and the communication structure is in place prior to a crisis. In the modern corporation it's unlikely that "careless talk costs lives" but it is possible for careless e-mails to cost jobs.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)2.
Read more Security Zone articles >>