Hacking then phishing – kicking a person when they’re down!

Today we’re going to highlight two issues for the price of one. Not bad for a Monday!

Firstly we have the recent admission by British Airways that criminals had hacked their website and personal details – including bank card numbers – of about 380,000 customers had been compromised. To add insult to injury, it took them 15 days to realise then warn customers so they can take action, by which time a huge amount of fraudulent transactions could have been conducted by the criminals and whoever they sold the card data to. If only they had an effective Security Operations Centre like other multi-national (really should) have!

Secondly, the fact that BA contacted their customers by email – and the possibility of this being exploited by other criminal groups – was debated by my fellow security professionals last week, so I thought I’d check my spam folder in my personal email account. Imagine my surprise when I spotted the attached message! It took a few moments but we found a few indicators of a phishing email (“return to” address was very suspicious, suspicious hyperlinks not going to BA website, minor grammatical errors in text, the promise of two freeplane tickets being unrealistic for half a million customers, etc.).

Would you have spotted it?

So there we have it, a quick and simple introduction into how one criminal group can quickly jump on the bandwagon and exploit another criminal group’s actions, praying on people easily exploited as they’re placed under pressure dealing with the first problem. Talk about kicking a person when they’re down!

 

Crisis Management – not just for huge corporations (Part 2)

In the last article I introduced the concept of crisis management and suggested a process, now we will take a look at how those principles and the process can be applied to a much smaller organisation or even a sole trader. Let’s look again at the RACER process introduced in Part 1.

Principles – think about what could go wrong that could develop into a crisis, in the context of the business in question. Don’t limit it to what could go wrong within the business (e.g. a big error by employee or yourself, something really important breaking or being stolen), consider the external environment which is out of your control, but could negatively impact your business or livelihood (e.g. natural disaster, market crash, Brexit (sigh), power cut). In other words, what keeps you awake at night? Have a think about it, consider ‘what-if’ scenarios and what a ‘bad day at the office’ might look like, and document them.

Structure – let’s say you’re a lone trader. OK, in some respects there’s the answer; it’s just you. But is that really the case? Can anyone else help you out in your moment(s) of need when things go a bit awry? Having someone with you who is emotionally detached from the incident to help with some tasks (probably coordinating activities, possibly helping with communication) and add the impartial voice of reason will definitely help in tense moments. Identify them, warn them, talk it through with them.

Process – have one. There are lots out there but they all share common components (like a beginning to kick it off, a middle bit where stuff happens, and end bit to recover and move on). I had to pick one, so I went with the RACER model, with RACER being an acronym comprising:

  • Report – the incident, event, crisis. I would also say this covers ‘detect’ that something is wrong
  • Assess – evaluate the nature of incident and severity (including potential severity)
  • Convene – the most suitable crisis management team (yes, it might just be a couple of you, but it’s still a team)
  • Execute – agree objectives, make decisions and take action
  • Resolve – close the incident, review and learn lessons

Clearly there’s lot more behind the process above, and I could write volumes on the topic, but this is just a taster and there’s a fair chunk of it that’s self-explanatory. Besides, we’re always on standby to help you in this area, so drop us a line and we’ll see how we may be able to support you.

Practice – finally! The Kast part, but arguably the most important part if you want to take this topic seriously. I’m sure there are many large organisations who are the proud owners of fantastic crisis management plans that are sat gathering dust on shelves waiting for the ‘in case of emergency break glass’ (or hit ‘print’) moment. Are you going to do conduct a large scale exercise with actors on the phones, emails sent to you describing dramas, scenarios played out in real-time? No, of course not. In a similar vein to your earlier conversation with your trusted family member or friend who with come to your aid when you need it (back in the structure bit), grab a strong coffee, beer or wine and go back to your what-if scenarios and see how you might apply the plan. 

OK, the above is hardly the most robust preparation, but I’d argue that it’s better than nothing, and would go some way to having a degree of preparedness with not too much effort. If you need more information about this, just drop us a line. If you need a checklist for topics to be discussed the first time you meet to work through the crisis, we can tailor one for your needs which serves as the “when things go wrong print this document and follow the steps” file. I can tell you from personal experience, sitting on you bum with your fingers crossed (or thumbs crossed, as is their wont in Germany and Switzerland) is not an effective means of building resilience in any size of organisation. Escalate early (preferably before an incident becomes a crisis), scrape a team together (even if it’s just one extra pair of hands), and follow the (a) process. Any process. Just have one you’re comfort with and you’ll be in good shape.

Crisis Management – not just for huge corporations (Part 1)

Since time immemorial we have seen the devastating effects of major disasters and other uncontrolled events, coupled with eye-watering estimations of the financial costs of their remediation. Union Carbide’s tragic accident in Bhopal resulted in 1,000s of deaths and a loss of over $500 million. More recently, UBS’s “Rogue Trader” cost them over $2 billion, and the total bill for BP’s Deepwater Horizon catastrophe will be at least an order of magnitude more, estimated at a whopping $35 billion. Accordingly, the term ‘crisis management’ will be a stranger to very few people, and it would be remiss of any large organisation not to have a crisis management plan of some sorts (though I would question if they are all (1) fit-for-purpose, and (2) practiced).

That’s all very well for the large conglomerates with access to buckets of resources, but where does that leave the likes of me as a lone trader or running a small family business, I hear you cry? Well, my answer is simple … if you do the same it’s madness, it would be a massive waste of resources which you just don’t have. However, in my opinion by applying the same principles, picking out a few elements of a good crisis management plan and doing a bit of light-touch preparation you can develop and implement a half-decent plan with minimal effort that might just tip the balance in your favour when things start to turn south without warning.

So what constitutes a crisis management plan? Well, ask 20 professionals and you’ll get at least 30 opinions, and I’m not going to pretend that what I’ll cover is the textbook answer, but given that our principle at SLB is simplicity what I’ll briefly demonstrate here is good enough for this article.

In essence, an effective crisis management plan contains the following core components:

  • Principles – the purpose of the plan (e.g. minimise risks to life, limit damage to the environment, preserve the company’s reputation…), recognition of the types of crises it may cover, perhaps guidance on when to trigger the plan (i.e. when an incident or event becomes a crisis)
  • Structure – composition of the crisis management organisation (e.g. a crisis management team with designated leader, communicator, coordinator, log keeper, functional experts, etc.)
  • Process – the steps to be taken in a crisis (or preferably before a crisis materialises)
  • Practice – exercise the plan and the crisis management organisation

The challenge then is how can this be applied to small businesses or individuals? Let’s keep this simple (that’s what we do, right?!), so in Part 2 of this article we’ll start very small and only build on it if we need to.