International cyber crises are managed under difficult pressures
PrivacyRules is a global network of data protection expert organizations that sought to increase its readiness and ability to operate in large-scale cyber crises affecting multiple countries. The requirements imposed by different countries’ legislation make cyber crisis management challenging, especially when operating under the simultaneous pressures from numerous stakeholders, the media, and tightening legal demands.
The idea was that a demanding cyber crisis simulation would highlight different countries’ legal data protection and security requirements, and force professionals from different fields into high-pressure cooperation and communication.
The simulation including the scenario were carefully constructed
The simulation aimed to test the impact of ransomware and the response to paying ransom demands. A key factor in designing an effective scenario was selecting a target company that would be educational from a data protection perspective. We chose an international fertility clinic, for which a brand, image, history, and operations were created.
The simulated cyberattack began with ransomware and video threats from the attackers, after which the crisis escalated quickly. Critical personal data was leaked to the dark web. Concerned parents, who had received treatments, and the media began bombarding the company’s leadership, who had to make tough decisions, including whether or not to pay the ransom.
The simulation was led by a consultant from Netprofile, with the training team also including the Director of Cyber Risk Partnerships from Secureworks, the Chief Security and Technology Officer from CSS Assure, and a lawyer from Lexia. Polpeo handled the simulation platform’s maintenance and progression from London. The simulation involved seven PrivacyRules teams in Brussels, each consisting of 6-8 members from various countries.
A simulated situation is surprisingly authentic – and promotes learning
The cyber crisis at the fictional international fertility clinic put the participating experts under pressure and tested their cyber crisis management and communication skills. They had to make quick and strategically critical decisions on crisis management measures and communicate with various stakeholders across multiple social media channels, discussion forums, and media outlets.
During the simulation, the atmosphere in the room changed dramatically. The noise level rose as the teams planned strategies, built a picture of the attack, investigated necessary actions and legal obligations, managed communications with multiple stakeholders, and responded to the attackers' demands.
The lessons learned from the simulation were invaluable. In the debriefing session, participants emphasized the critical importance of communication and media expertise in crisis and reputation management. Members have since reported concrete steps and decisions that they have taken to improve preparedness in their respective countries.
Netprofile ja PrivacyRules are finalists in the Training and Simulations category of the 2024 Finnish Communications Awards. The winner will be announced on October 30th, 2024.
