Cyber attacks continue to make headline news; every organisation should have considered how they would respond to a major cyber incident. After all, every organisation is a potential target of cybercriminals and nation state actors, whether directly or as collateral damage in a supply chain attack. Hackers’ motives are wide ranging but may include stealing sensitive data, extortion, espionage, accessing partner’s systems to stage subsequent attacks, or just to have a bit of fun at the expense of their victim.
Although it has become cliché to say, it's not a matter of if you become a victim, but when. And ruthless optimism, while ignoring the potential problems, is a recipe for disaster. Once we accept that one day we will fall victim to a cyber attack, it makes sense for us to be prepared and resilient, knowing what we’ll do when the time comes.
Getting prepared for a cyber attack
There can be complex technical factors to consider when preparing for a cyber incident response, but there are also many fundamental planning activities that significantly impact how effectively you recover from an attack. These include but are not limited to:
Response and recovery strategy
- Does leadership know their role in cyber incidents?
- Who forms the incident response team and how experienced are they?
- What key systems could be unavailable and for how long?
- What are the business priorities?
- Who might be required to provide specialist support?
Communication and reputation
- What are your internal escalation pathways?
- Who are your stakeholders and how will you notify them?
- What messages are released during the incident, considering the potential sensitivities?
- How will you respond to the media when the news breaks?
- Who is responsible for media interviews and are they trained?
Situational awareness
- How do you translate technical information for decision makers?
- How will you coordinate all response activity?
- How will you know if data has been stolen?
- What is the impact of that stolen data?
- How does this influence your decision making?
Preparation in practice
Crises are chaotic. But you can reduce this chaos by making sure that the roles and responsibilities of staff involved in an incident response are clearly defined and regularly rehearsed, ensuring that decisions are made at the correct level, resulting in focused activity and reduced incident 'noise'.
Documentation
Documentation is key as it provides a framework to initiate a response and ensures consistency. But every incident is unique, and plans contain assumptions. For example, how certain are you that the communication system you invested in will work if the corporate network goes down? Perhaps very confident, but perhaps not. What alternative systems will you use to coordinate the incident response without access to your primary communication platform? If this system is deemed critical to your business operations, what contingencies have been put in place, or what resources will it take to bring the system back in a reasonable timeframe, considering that those resources are then unavailable to complete other important tasks?
People
Building the capabilities of your staff to meet unique challenges within a structured framework is ideal. But understanding the limits of your capabilities and what additional resource may be required is just as important. This might be technical support, such as retaining a Managed Security Service Provider to meet your digital forensics and incident response requirements, but there are a wide range of external skills such as legal services and PR support that may also be required, and it is preferable to establish these relationships prior to an incident.
If you have dedicated internal resource to respond to cyber incidents, consider the pressure these staff will likely endure in a major attack. They take pride in their work, and they will be eager to respond, but cyber incidents are typically a marathon, not a sprint, and managing the peaks and troughs of an incident can take its toll. Peaks may require shift working, and troughs are time to regroup. It's unlikely that you will have a full awareness of the systems and data that a hacker accessed for several days, or potentially longer. Furthermore, the technical recovery could be prolonged and take several months, not including the potential long-term reputational damage.
Communication
Communication in a crisis is essential to protect your reputation. Although keeping quiet is a strategy, this leads to speculation and rumour dominating the information environment which can negatively affect public sentiment and your organisation’s share price. Alternatively, a considered and competent crisis communication strategy which demonstrates the organisation is in control will likely result in limited reputational damage.
As an incident progresses, the messaging needs to adapt to reflect the current situation. The media will want to know what caused the incident and what data was stolen during the attack. The messaging should reflect your current understanding of the situation while striking the right balance between being transparent and sharing too much too soon.
Are you ready to be hacked?
If you’ve read this article and you’re not sure that your organisation is prepared, we are experts in both the proactive and reactive aspects of cyber security.
Contact us today to get your organisation ready to be hacked.
Insights
The 'oligarchisation' of politics online - Digital Threat Digest
Everything that I have learned about the US elections this year has been against my will. Don't get me wrong, I am well aware that whoever controls the White House has significant impact around the world, and I will admit that keeping up with American politics makes me a better analyst.
Threat Intelligence and the Hydra of decentralised Extreme Right-Wing organisations
Digital threat intelligence helps us respond to harmful entities and their activities online. As our professional investigation capability evolves, so do the online tactics of threat actors themselves, in something of a perpetual cat and mouse game.
Weather seeding and FEMA patrols: Conspiracy to armed action - Digital Threat Digest
I don’t think many people have escaped the devastating news about the recent hurricanes that have hit the US in recent weeks.