A question of preparedness: crises can occur in organizations at any time. Companies that take a reactive stance face the risk of operational collapse or even injury or death of personnel - Risk Watch

Internal Auditor, Oct, 2003 by Albert J. Marcella, Jr.

COMPANIES TEND TO ADDRESS the crises they know about; however, it is the ones they don't know about that cause the most damage. Few could have predicted the world changes that have occurred in the past 24 months, and crisis management has become an area that no organization can afford to ignore. Constructing and addressing challenging and creative crisis or threat scenarios should no longer be considered optional, but should be part of every organization's aggressive, proactive, and ongoing continuity planning strategy.

Internal auditors play a vital role in preparing organizations to deal with a crisis. Auditors need to identify who in the organization is responsible for assessing its crisis management capabilities. Does the organization even have a crisis management program, department, or team?

In lieu of a formal crisis management team, internal auditors--along with those employees within the firm who are responsible for incident management, continuity planning, security, and human resources--can come together as a proactive team to assist in mitigating exposures that may be created by a scenario such as the one presented in this article. Specific activities undertaken by these professionals include responding to alerts and breaches of security, investigating internal threats, quickly moving to contain and mitigate losses, performing forensic analysis, and supporting overall organizational compliance to legislation.

Assessing an organization's weaknesses may require the assessor--be it the internal auditor, security analyst, or risk management team member--to take unconventional measures, approach the evaluation from different perspectives, and to think like a cyber-criminal or terrorist might think. The crisis event presented here--although fictitious--raises questions that require clear, informative, decisive, and immediate answers.

ONE CYBER-CRIME SCENARIO

Your organization's network administrator has just returned from lunch to find an addressed manila envelope on her desk. Opening the envelope, she finds the following contents:

* A compact disk (CD).

* A note that simply reads: "Upload this CD's contents to your corporation's central server by 3:00 p.m."

* A typed sheet of paper that details--in chronological order--the activities of her family from the previous weekend.

* Photographs of each member of her family cross-referenced to the chronological activity list.

* Photographs of her parents, who live in another state, standing outside their home and dated with today's date.

The exposure represented by a threat of criminal coercion of corporate personnel and damage to infrastructure should not be ignored or taken lightly. In this scenario, the cyber-criminal's motive is not clear. It could be to disrupt customer service and normal company operations, to simply intimidate the employee, to incite a loss of customer confidence, or to generate financial instability within the targeted organization. Or, the crime could be more personally motivated--a vendetta against an employee or the organization itself.

IT IS NOW 1:30 P.M.

1. How does your network administrator react? What does she do?

2. Does your organization have a response plan in place to deal with this type of cyber-terrorism? Has this been considered a realistic scenario in the organization's disaster recovery and business continuity plan? If not, why?

3. Does the network administrator know whom to call first? Her family? Her parents? The local police? Federal law enforcement? Company security personnel? Should she call anyone at all?

4. Do local authorities know how to respond to an information technology (IT) "crisis event" such as this without jeopardizing all parties involved? Does the organization's in-house security--IT as well a physical security staff--know how to react and respond?

IT IS NOW 2:00 P.M.

5. Will contacting any of these parties tip off the cyber-criminal, potentially resulting in loss of life, destruction of corporate assets--buildings, inventory, or foreign operation locations--or a retaliatory strike on the organization's physical plant or general personnel population?

6. Does your organization have the ability to replicate its network and run the CD to ascertain what damage--if any--might occur by uploading the CD as instructed?

7. Does the organization have the ability to upload and roll out a shadow--or duplicate--network as the real thing so as to avoid jeopardizing the intended cyber-target while seemingly complying with the criminal's demands? Is this even a wise and logical approach given what is at stake?

8. Do internal controls exist within your organization's network environment that could neutralize the affect of malicious code being directly uploaded to the network's central server?

9. Does your organization have the ability to compartmentalize sensitive data so it remains secure in the event of a system-wide exposure incident?

IT IS NOW 2:20 P.M.

10. Can your organization ensure that confidential data is not accidentally disclosed to third parties who may be called for assistance, to those who may be given remote access to the system, or to those who may ask--or even demand--to have access to your network to track and monitor the result of uploading the CD's contents?