Cyber attacks are an ever-present threat to your operational resilience and can severely impact your organisation’s ability to function normally. Cyber events can be as damaging to a business as a fire or flood, so careful planning is essential to avoid costly interruptions.
Preparation is key
A cyber security breach can cripple your IT systems, anger customers, enrage shareholders, impact your bottom line, draw the unwanted attention of regulators, and even destroy your firm’s hard-won commercial reputation. With 32% of UK business reporting at least one cyber attack in the past 12 months1, preparing for cyber events is essential.
How would you respond in a cyber crisis?
In our experience, when called out to an incident, we often encounter confusion and, in some cases, blind panic.
Let’s take a common form of cyber assault – a ransomware attack. Imagine that hackers have disabled your IT systems to prevent you accessing your data, and are demanding you pay them for the ‘keys’ to unlock them. Worse still, the hackers have stolen your most valuable data prior to the main attack, so that they can threaten to release this information even if you manage to recover your systems without paying them.
How can you prepare for such a threat?
Developing your cyber incident response plan
A basic incident response (IR) plan should include:
- Key contacts: IR team, third party service providers, Legal, HR, PR, Insurance contacts (if you have them).
- Escalation: a process to determine the severity of an incident, to inform how quickly the incident should be handled and to whom it may need to be escalated.
- Incident response flowchart: a diagram that helps steer your response, from initial discovery through to close down. This must cover the four core response stages – Analyse, Contain, Remediate, and Recover.
- Legal and Regulatory: deciding what constitutes a reportable incident, and when and how to engage legal and law enforcement support.
Test your plan
One key component of your planning is to prepare your fellow senior managers and your technical teams for what to do in a cyber incident. Most commonly, this is through a table-top exercise to allow you to ‘live and breathe’ an incident without the financial and human costs of a real incident.
These exercises should be designed and delivered by specialists like ECSC so that you may learn from their years of experience in responding to real cyber incidents. They should also be customised to your specific IT dependencies, IT systems, defensive capabilities, and realistic threats to your cyber security.
Although variations are common, we often run separate sessions for the senior management team and the “techies”. The following are examples of the questions and challenges you may face:
Management Team
- Do you go public and inform your customers?
- How best do you respond to requests from the media?
- Who speaks to the media and what do you say?
- Should you pay a ransom to an attacker?
- Can you switch off business critical systems?
- Who do you share information with internally?
- How do you react to social media, including Twitter and Facebook?
- Are your internal and external communications in sync?
Technical Team
- What should you communicate to management?
- How do you interpret conflicting technical information?
- Can you contain a breach without interrupting operations?
- Is the attacker internal to your organisation?
- When do you need external specialist support, and what type?
In addition to allowing you to experience a breach, these exercises often uncover weaknesses that you weren’t aware of and allow you to strengthen your defences.
Whether your organisation is 10 people or 10,000, putting guidance in place on how to handle incidents will help you make good decisions under the pressure of a real incident.
For further information contact Matt Clark, Cyber Director, Partners&
1 UK Gov. Cyber security breaches survey 2023