Petya Puts Disaster Communications in the Spotlight

By Kate Fazzini

One of the important lessons business can learn from the Petya ransomware attacks is their need coordinate a communication strategy in the event of a major cyberattack. Last month’s hacking campaign exposed flaws in many companies’ disaster recovery strategies, in some cases causing major disruptions to the most basic communications channels, like phone and email.

The attacks led to widespread phone outages at companies that particularly relied on network-connected voice technologies, like voice over internet protocol, commonly known as VoIP. Law firm DLA Piper, for instance, saw two days with all telephone and email communication knocked out, and sporadic outages in the immediate days of recovery thereafter. Dutch shipping giant A.P. Moller-Maersk, had phone issues as well, and many firms experienced widespread email outages as a result of the attack.

The lack of access to communications was striking in part because of the sometimes-complex workarounds employees had to use, such as typing and sending legal briefs from home computers and personal email, in order to get in touch with clients and colleagues. Failure to keep clients updated on crises, and keep their trust, could result in lost business, reputational damage and other complications. Preserving the integrity of communications channels and preparing a variety of ways to communicate could have helped, experts said.

Business Continuity

For small and medium sized businesses, the Small Business Administration provides an emergency communications checklist, which can be completed with an eye to the specifically devastating technology effects of a cyberattack. The checklist includes a five-step process: Determine roles and responsibilities, determine entities with which you communicate, document when to activate the plan, determine, document and publicize the plan, and educate employees about the plan.

John Riggi, head of the cybersecurity and financial crimes unit at BDO USA LLP and former section chief of the National Cyber Outreach Section of the Federal Bureau of Investigation, said setting up “out of band” communications is a must.

“In an emergency situation, people should be switching over to alternate lines of communication for text, voice and data, and those should in no way be connected to the company’s network,” said Mr. Riggi, meaning text, voice and data services outside the company’s network. Some companies even offer back-up emergency email service that can be pre-loaded with individual emergency response groups. Companies must, as always, test their off-network channels on a regular basis to ensure they’ll work in a crisis, he said.

During Hurricane Sandy, in the New York and New Jersey areas, many institutions communicated with their employees via frequently updated push texts to their personal cell phones. Voicemails, sent again to employees’ personal phones, gave vital instructions on whether or how to come into offices, even as some experienced widespread network outages.

While these business continuity methods are “old-fashioned,” Mr. Riggi said, they offer a number of new advantages in the context of cyberattacks: namely, the ability to communicate off-network when a company may have been thoroughly infected with malware.

Alex Tsepetis, chief technology officer for OnSolve LLC, a company that provides enterprise mass notification services, said a strong business continuity strategy includes knowing what channels of communication are available to your company and how they will work in a variety of scenarios.

Enterprise-wide, multi-channel push notifications–similar to those sent en masse by local governments in the case of emergencies or an “Amber Alert,” but on a smaller scale for businesses—are one strategy for informing staff of critical updates during an adverse event.

In the case of a phishing attack or a website-based watering hole attack, Mr. Tsepetis said companies can use a desktop notification function, so employees connected to the network can receive instant warnings about what is happening and what they should avoid.

“Obviously, for example, if there is an email phishing attack, you don’t want to send an email around saying ‘don’t open your email,’” he said.

As for alerting customers and clients to issues and progress after a cyberattack, having a robust strategy with clear lines of command is essential, Mr. Tsepetis said. This way, notifying via any available channel, and receiving communication, back from employees about what they are experiencing can still take place, and filling in details for the public via social media channels can be easier.

Certain alert communications can also be automated, he said, such as instant warnings to certain technology staff and key executives when the company’s firewall has detected what may be a denial-of-service attack.

In the end, communications strategy can make an important difference in how quickly a company recovers from a cyber event.

“It speaks to how key constituencies will view your company,” Mr. Tsepetis said, including customers, regulatory agencies or business partners. “If you allow an event to be mischaracterized, it takes the control out of your hands. It can make something get characterized as a disaster when it is not, it can cause your messaging to be captured and affect your strategy in the long run.”

(Kate Fazzini writes about cybersecurity for WSJ Pro. She has held roles in cybersecurity at Promontory Financial Group and JPMorgan Chase, and is an adjunct professor of cybersecurity at the University of Maryland, teaching cybersecurity for business and government. Write to Kate at kate.fazzini@wsj.com.)

Original Post can be found at The Wall Street Journal.