The news is full of stories of cyber security attacks, but it is still difficult for organisations to get the resources to prepare for a potential breach if they have yet to uncover an incident that directly impacts them.
With collateral damage and supply chain attacks, this position is no longer tenable. The traditional approach of assessing whether you alone are likely to be the target of an attack does not apply. Today, everyone and anyone could be attacked due to their own vulnerabilities, their third-party suppliers or just by mistake (for example the NHS in 2017 with WannaCry). And remember, threats can originate from both outside and inside your organisation. The starting point to being prepared is having a well thought through plan in place. You also need to develop the detection technologies, systems and handling processes you will need when responding to an event. All this needs to be done in a systematic way in order to ensure you are ready to respond and will have effective decision-making in the event of a cyber incident or breach, based on your organisation’s unique circumstances. Your response should be part of a wider program that follows the cycle of Identify, Protect, Detect, Respond, Recover.
Why do we need a plan?
A well planned, rehearsed and executed response will help to minimise the damage caused by a cyberattack. This could mean reducing the amount of data lost, minimising public and media impact and maintaining your reputation.
The first 72 hours of an incident is critical because the GDPR and NIS (the Security of Network & Information Systems regulations) stipulate some key decisions and steps that must take place within that period. The goal should be to manage the incident in a way that reduces exposure to risk and supports business continuity whilst gathering and preserving the evidence required to perform the risk assessment that will determine whether the ICO and the individuals potentially affected by the breach need to be notified and what other actions need to be taken.
DCMS’s (the UK’s Department for Digital, Culture, Media & Sport) Cyber Security Breaches Survey 2021 states that “Most organisations (66% of businesses and 59% of charities) report having some sort of formalised incident response process” in place. However, due to the way the question is asked, it does not state whether these respondents have a full plan in place. From anecdotal evidence, this seems unlikely.
Preparation and mitigation for data breaches are both explicitly required by the ICO, as part of your GDPR-related measures. The ICO state that you should, “Have well-defined and tested incident management processes in place in case of personal data breaches.”
Who should be involved?
For this, you need the right people, with appropriate skills, in place, with an incident response plan and relevant data analysis tools. Having a plan in place will help you make good decisions under the often-intense pressure of a real incident. For that to happen and for the incident response plan to work, you need the business to have a team ready to stand up with incident response tasks embedded into their everyday core roles. The team responsible for delivering the plan when a serious cyber incident occurs needs to represent the whole business, and not just be a technical team.
The act of creating a plan will help identify gaps in your incident handling capabilities, define stakeholder roles, establish communications and escalation processes, boost collaboration and increase executive awareness to help improve security.
Your incident response plan should be linked (or for smaller organisations, combined) with disaster recovery, business continuity and crisis management plans, and supported with the relevant capabilities for these areas. These come into play when an incident is serious enough to cause major disruption and/or damage to your business. Plan for the specific types of incidents that your team will respond to and develop step-by-step procedures that can be easily followed when you are in the eye of the storm.
If you don’t have a detailed plan in place several things might happen. To start with your security team and management team could struggle to both understand and respond to the incident. Without a plan in place, there is a greater chance of them making expensive mistakes. Not having a plan in place will lead to missing out key steps and could potentially expose you to fines or legal action. And insurers or regulators might want to see evidence of the steps you took; much more difficult if you haven’t been following a plan.
Reporting and responding
A cyber security incident may be spotted anywhere in the organisation and consequently be reported in different ways and to different teams – your IT helpdesk, an outsourced IT provider, IT security, legal, HR, PR. Each of these teams needs guidance on how to identify something they should report and who they should report it to. These incidents need to be reported quickly and clear guidance in plans helps with this process.
All possible incident alerts should be routed to the team responsible for managing them. They can then assess and triage the incident, and also correlate with other information they gather about your organisation, your sector and the wider cyber landscape (using resources such as CiSP – the Cyber Security Information Sharing Partnership, a joint industry and government initiative run by the UK’s NCSC). https://www.ncsc.gov.uk/section/keep-up-to-date/cisp
The incident team should be able to easily share data and relevant information through team conference calls, group chat and shared tracking spreadsheets or project management software.
Sharing critical incident information is crucial to being able to respond effectively. A degree of foresight to establish trustworthy out-of-bounds communications channels is required in case the primary source of communication between the incident team becomes unavailable or compromised.
Keeping a careful record of the incident response, decisions made, actions taken, data captured (or missing) is incredibly useful for post-incident reviews. This is especially true if you will need to present evidence of your response to a regulatory body.
As more is uncovered about the nature of the attack or incident, it is possible to determine more actions that can be taken to contain it. In many cases, you may need to perform further analysis before containment actions can be taken. However, you should look to contain the attack early on, since this may be critical when faced with a live incident where damage or loss is ongoing.
Testing your plan
But before any of this, you should carry out a mock cyber security event (loss of data, ransomware, loss of email) to show up areas of security vulnerability, processes that could be improved and gaps in your security posture.
It is so important to exercise or test your plan and much better to be tripped up during a practice than in a real event. It also shows regulators that you have taken cyber security and data privacy seriously. Aim to exercise at least one aspect of cyber security every year.
Any incident management plan should be thought of as a living document that is regularly reviewed and updated as the business changes. All too often it can be neglected during business changes, whether large or small. Any unrecorded changes could have wider reaching consequences in being able to emerge from a cyber security incident with minimal loss.
It may be that an exercise will highlight that your crisis management team only need to include three people. On a recent exercise with a senior management team, it quickly became apparent that the only people needed for decision making were the CEO and the CISO. All others on the exercise apart from the note taker were either deputies (who needed to know what to do if the CEO and/or CISO were not available) or heads of Legal, Comms, HR and other areas of the business who were not allowed or empowered to make decisions in the event of a cyber incident within that particular organisation.
What trips us up?
- Not having/updating a plan
- Believing this is purely a technical problem
- Lack of communication
- Lack of means of communication
- Alerts not reported to a central point
- Evidence not kept of steps taken (needed if there is any regulatory review from e.g. the ICO)
- Lack of cascade phone lists
- Not knowing what are the most critical data and the most critical systems
- Just turning your computers off – this can destroy valuable forensic evidence that experts might need to work out how your cyber security was breached. Ransomware can also sometimes cause more damage on a computer which is turned off and turned on again than on a computer that is disconnected
- Too slow an escalation from the discovery of the cyber event to the point at which appropriate experts are engaged
- Communicating too early, so not being able to answer questions or provide insight on potential risk and impact on the organisation and third parties
- Communicating too late, so displaying a lack of ability to detect and handle an incident
- Senior spokespeople who are not media trained
- Poorly briefed senior spokespeople
- Lack of legal advice
- Not exercising (testing) the plan regularly
