The Cybercrime section of PwC’s recently released Global Economic Crime Survey 2016 report highlights that … “Most companies are still not adequately prepared for – or even understand the risks faced: Only 37% of organisations have a cyber incident response plan.” [Source: Global Economic Crime Survey, Cyber Threats, PwC].
So what happens when your organisation is under cyber-attack? Needless to say, the first and most immediate concerns of senior managers are likely to be: (1) what action needs to be taken? And (2) who has the proven knowledge and experience required to contain and eradicate the incident?
The trouble is of course, the point where you are in the grip of a ransomware attack that is migrating to your core data is not the best time to schedule a management meeting to discuss items (1) and (2). A properly-formulated response plan aims to manage a cyber security incident so as to limit the damage, increase the confidence of external stakeholders (you simply don’t want to people and organisations that you do business with assuming the worst), and reduce recovery time and costs.
Who should lead your cyber incident response?
As in all crisis situations, an organisation should have a senior person to take the responsibility for devising and implementing the Cyber Incident Response Plan across business units and geographies.
Steve Shepherd MBE, 7Safe’s Cyber Incident Response Lead, recommends that the person who takes charge of an incident should understand technology, processes and more importantly, be able to rely on the people involved in mitigating the incident.
“At 7Safe, we’ve met hundreds of cyber consultants, security and IT managers. Many were not fully-prepared or did not understand the range of available actions to take in a cyber-attack, especially where the risk to organisational data was considerable. What seems like a perfectly reasonable course of action can sometimes play into the attacker’s hands. You are not likely to be their first victim so preparation through skills training is vitally important.”
If you don’t assess risks, you are acting blind
The Plan itself should be based on a proper assessment of risks, threats, and potential failure modes. This assessment should be refreshed continually on the basis of changes in the threat environment.
By risk assessing scenarios in terms of the probability of occurrence and impact on business activity, your team will be able to determine the risk factors associated with different types of cyber-attack.
If you are running a large enterprise, the risk matrix that this process of risk identification, analysis and calculation of likelihood and impact generates will help to determine the mitigation measures – and prioritise the spending in a way that protects your confidential data assets and business ROI.
Steve Bailey, 7Safe’s Cyber Lead, has this management advice to Cyber Incident Response planners:
“In among the items in your risk treatment plan, you should include quick-response guides for likely scenarios. This is because most human beings ignore the possibilities until they actually face them. When they do, they need a step of clear and sensible steps to follow to avoid panic overtaking them”
These ‘guides’ should be straightforward to implement at all levels of responsibility for your systems. However, you should already have established processes for making major decisions, such as when to isolate compromised areas of the network. This is not as straightforward as it may first appear. The understandable reaction of ‘pull the plug’ could make containing the malware problem harder, especially if the system immediately activates backup servers that are then also subject to infection.
How should you go about preparing your version of the incident response guides? Steve Bailey says:
“This is where consulting a cyber-attack incident specialists can often prove a worthwhile investment. We can advise you how to respond to a variety of cyber threats without escalating the risk-levels.”
At the same time, it is recommended that your planning is used to set up and maintain relationships with key external stakeholders, such as law enforcement and your service-level agreement suppliers.
Make your cyber incident response plans known – and understood – by all employees/stakeholders
The documentation of cyber response plans should be made available to the entire organisation and should be routinely updated to reflect changing threat environments: security is not a steady state. Likewise, you should ensure through training and exercises that all your employees understand their respective roles and responsibilities in the event of a cyber incident – and test their understanding at intervals of at least twice a year if you are serious. A great many new and challenging cyber threats can emerge in six months. If your response plans are based on last year’s known attack vectors, you can be caught out. That’s why it’s wise to work with cyber security consultants through a continuing relationship rather than on a one-off basis: you need their insight before you find out the hard way.
In your process, identify the individuals who are critical to incident response and ensure redundancy. And having done so, practice through simulated breaches to develop response that is second-nature.
The best-prepared organisations routinely conduct their own form of war games to stress-test their plans and their people, increasing awareness and fine-tuning decision-making response capabilities.
# # #
Looking for Cyber Security services you can trust – used by Government organisations and the Police? Click through to 7Safe’s information pages:
Or speak to one of our trained advisers in complete confidence on 0870 600 1667.
... before your organisation becomes the next high-profile victim of a cyber-attack.