In its recent Insights note following escalating Russia/Ukraine tensions, the Cybersecurity & Infrastructure Security Agency (CISA) recommended clear steps to ensure that companies’ full response teams – including IT, communications, and legal – are prepared to act in the event of a critical cyberattack. CISA urged every organization in the US to "take urgent, near-term steps" to improve cybersecurity and resilience, which includes designating a crisis-response team and conducting tabletop exercises so all participants understand their roles and are ready to quickly and effectively respond to an incident. The organization’s guidance highlights a key aspect in an evolving geopolitical dynamic: business interests are very much at the table when tension emerges between states.
To appreciate their concerns, we need only to think back to the global mayhem caused by NotPetya in 2017, an attack against Ukraine attributed to the Russian military. The attack crippled corporations, ports, and government agencies across the world, with damages estimated around $10 billion. There was broad coverage of the impact on major corporations such as AP Moller-Maersk, Merck, FedEx, Mondelez International, WPP, Reckitt Benckiser, and Saint-Gobain, which in some cases had certain systems down for weeks or months. The incident underscores how cyberwarfare can spill across borders with serious repercussions.
A number of companies found that their business-continuity plans did not hold up to this level of disruption, and in many cases were unable to continue doing business or even communicate with customers and employees in the wake of the attack.
There is much to learn from these previous attacks. A number of companies found that their business-continuity plans did not hold up to this level of disruption, and in many cases were unable to continue doing business or even communicate with customers and employees in the wake of the attack. Many organizations reported losing basic communications systems such as email and phones, making a coordinated company response – and communications with stakeholders – particularly challenging in the early days.
Warnings of Russia-backed cyber threats have continued to proliferate in recent days, signaling the seriousness of the current climate. Canada’s cyber spy agency was the latest to alert companies, following advisories from CISA and the UK’s National Cyber Security Centre (NCSC). Companies including Mandiant and Microsoft have also provided guidance on steps companies can take to strengthen their defenses as risks increase.
Communications leaders have an important role to play in preparing their organizations to respond and mitigate the damage these attacks can cause, including ensuring that: escalation protocols are understood; communication alternatives are in place in the event normal channels are down; spokespeople are trained and available; and contact information is updated and easily accessible. These processes – and the team responsible for implementing them – should be tested regularly.
Finally, companies can consider taking advantage of resources available through sector-based Information Sharing and Analysis Centers (ISACs). In a nation-state attack, the impact could be industry-wide, and may involve government stakeholders. ISACs can assist coordination between the private sector and the government, including for communications.
By understanding the lessons from prior attacks and following industry best practices, companies can prepare themselves to respond to potential threats, ensuring stakeholder trust is preserved in the face of a critical incident.