Cybersecurity as an Emergency Management Concern
During my graduate studies, I had to confront the question of what does it mean to be critical? It was an important point to cover since I was in the Critical Disabilities Studies Program. These investigations caused me to also ask, what is stress? What is bullying? Researchers conducted surveys and discovered that what exactly constitutes bullying depends on those asked. This mushiness makes it difficult to write on specific aspects of bullying: for some people but not all, having to work long hours seems to constitute a form of bullying. A similar ontological challenge emerges when attempting to define cybersecurity. For a person attempting to offer “cybersecurity services,” navigating the ephemeral use of the term underlies the task of providing a business service. But let us proceed into this volcanic molten landscape to gain a grasp of the morphological implications.
Assume for the sake of argument that cybersecurity is about protecting an organization from threats that tend to involve network systems. Understandably, an individual in IT might make use of an internal perspective: this is to say, certain internal changes can be made within the organization to deal with both internal and external threats. In response to phishing emails, one idea is to block the sender (Alias1). Once the sender is blocked, they can no longer send the phishing email. This is assuming that the sender stated on the email actually sent the email. If this is indeed the case, the sender can attempt to send the content using a different email address. However, the company, now familiar with this deception, immediately blocks the sender again. The hacking group responsible decides to assign a different specialist: this person – pretending to be a vendor – forwards an invoice to the company. It seems the purpose of this invoice is to gain payment, but it also contains details on how the company can access an online portal to obtain up-to-the-minute account information. The company logs in to the elaborate portal and supplies its current vendor account information. The specialist advises a third specialist to contact the company’s accounting department by phone – posing as the vendor. The hacking group begins the process of taking data from the vendor’s account: client names, physical addresses, email addresses, phone numbers, transactions, and possibly even credit cards. The hacking group systematically attempts to contact all the clients. Alias1 receives hundreds of extracted email addresses. The process continues.
The above scenario is fictitious. It is meant to show that that initial response – blocking the sender – is not helpful if the threat is from a organized group. This group is part of a broader criminal organization. This is when a company might be tempted to simply define cybersecurity in relation the network systems, ignoring the pedigree of those involved. However, for hackers, anything and everything that works is on the table. When a company limits the meaning of cybersecurity, this can have the effect of concealing multifarious dimensions of the threat.
At the same time, cyber threats tend to have the following characteristics: computer-mediated; systematic in nature (e.g. thousands of emails); targeting groups of people affiliated or connected in some manner; they try to exploit mistakes, errors, oversights, and accidents; take advantage of confusion and structural instabilities resulting from increased scale; and they make use of flaws and vulnerabilities in technology. Although it is true that IT might itself involved in building the technological pillars of a company, IT is not necessarily responsible for the deficits or deficiencies in the technology. For example, a newly discovered vulnerability in Windows 11 cannot be blamed on somebody in the IT department. A scheme involving hacking may have the appearance of a kind of marketing campaign – directed at a target audience that seems susceptible. Hackers also make heavy use of technology. They often carry out plans remotely.
How exactly should companies deal with cybersecurity threats? Given that the criminal enterprise is persistent, highly motivated, and constantly changing, it is important not to simply respond in reaction to specific instances in a detached and poorly-planned manner. It is necessary to have elaborate plans. Choosing to adhere to specific standards should not be confused with having either strategic or tactical plans. Think of a breach as an emergency situation – for example, like a building fire. Fire doesn’t care about global standards even slightly. Neither do hackers. It can be said, however, that best practices can sometimes provide useful guidance: these can be focused on preparedness (e.g. structure of the command centre and tactical deployment scenarios); employee awareness campaigns; incident response; incident learning; and perpetual improvement. Which individuals will be contacted? What information will expedite their remedial activities? What information will be provided to clients and local authorities and by whom?
Avoid brawls and existential crises during an incident
- Have network infrastructure mapped out and ready.
- Ensure the command structure has already been established so people can immediately assume their roles.
- Have a list of critical contacts and resources at hand.
- Have statements to the public and media prepared in advance.
- Know where all the critical assets are located including numbers to key individuals.
- Ensure that those occupying central roles also possess the training to perform their duties properly during emergencies. Have back-ups ready in case an individual is on vacation or no longer with the company.
- Know what the main objectives are. For example, protecting client information is a focal point for many compliance professionals.
- Consider a number of “default responses” that can be invoked temporarily while the company assesses the situation: e.g. the default response in the event of a confirmed breach.