Knowing your ‘knowns’ and managing the unknown: preparing for and responding to cyber incidents
- Published: Wednesday, 23 November 2016 09:19
A good cyber incident response can make or break an organization’s reputation; and preparedness is the key to an effective response. In this article Dominic Cockram shares four lessons learnt while helping organizations improve their cyber crisis preparedness.
Cyber attacks and data breaches are here to stay. As long as confidential commercial data and personal information hold a financial value on the black market, the battle between cyber criminals and corporations will continue.
They are also very costly – UK telecoms group TalkTalk admitted to losing £60 million in revenue and 100,000 customers following their data breach in 2015 and Sony Pictures is estimated to have lost between $35 million and $100 million following a systems hack in 2014.
Yet the 2016 UK Government Cyber Health Check and survey of FTSE 350 companies had some surprising results; only 33 percent of boards felt they fully understood their own cyber risk appetite; 49 percent had a clear understanding of the potential impacts of a cyber crisis, and 15 percent felt cyber was a technical issue which did not warrant board attention. These results are of considerable concern given experts recognise it is a matter of when, not if, a cyber attack or data breach will occur.
The United Kingdom’s House of Commons Select Committee recently noted, in its review of the TalkTalk data breach, that cyber incident preparation, awareness, enforcement and responsibility should be higher on organizations’ agendas. Where it is not, organizations risk being perceived as having failed in their duty of care to customers and shareholders when the worst occurs.
With high profile calls for executive pay to be linked to cyber preparedness, and annual reports potentially required to include sections on cyber security, it is time to understand what being prepared for a cyber crisis means.
Four cyber crisis preparedness lessons
Appoint a cyber czar – governance, responsibility and accountability are critical
Corporate boardrooms are beginning to recognise cyber risk but there is still no clear ‘owner’ of this varied, often technical, and always complex issue. While many organizations have a chief information officer, chief technology officer or chief information security officer, there is seldom an executive leader with the right level of understanding, accountability or authority to lead a cyber strategy.
A cyber preparedness strategy requires a statement of ownership and defined responsibilities across your organization. It must bring together the groups involved in a cyber response – from IT, information security and risk, to customer services, HR, communications and general counsel to name a few. While cyber security is primarily a technical issue, the response to a cyber incident involves a much wider group, but this is all too often missed.
Clear policies and cross functional relationships need to integrate the cyber programme with your organization’s other operational and strategic activities.
Your organization also needs a clear understanding of its own cyber risk appetite and the impacts cyber threats may create. Only then can you start to prepare the organization to be cyber aware.
Know your cyber facts – knowledge is power
Lack of cyber awareness at all levels of an organization – from executive and management teams to operational service providers and front of house staff – is a serious risk. It can unravel all the good work done by information security teams.
Repeatedly we see senior executives shocked by the pace, complexity and uncertainty of a cyber incident. Organizations are often left grasping for facts in the face of experienced – and today often technically adept – journalists with questions they should know the answers to, leading to public outrage and disappointment at their inability to provide reassurance.
There is no excuse not to have at your fingertips key facts about your systems, data, encryption, budgets and the other areas you know the media and other stakeholders will want details of. What has been accessed? How many records have been stolen? How did ‘they’ defeat cyber defences / defenses? These are questions there may not be answers to, but there are others that can – and should – be answered: how many records do you hold? What is encrypted? What data do you hold? What data do you share? Far too often the answers to these questions have not been prepared.
Each function supporting your organization’s cyber crisis response should know its role, strengths and vulnerabilities:
- Is your executive management team informed enough on the issue to make strategic decisions? Do they know what critical data the organization owns, how much risk it creates and what a hacker could do with it? Do they understand how long it may take to investigate an attack and that it may be weeks or months for some certain facts to be confirmed?
- Could your communications team respond to stakeholder questions with cyber facts? Are they trained on the contents of the cyber crisis
communication plan? And has it been tested and discussed with legal?
- Do you have technical specialists who understand the wider worlds of cyberspace: the dark web, bitcoin payments, Tor and so on? Can they reach into these worlds safely? Can they conduct the forensic analysis needed to investigate a breach or do they need external support? Is there a plan, and contract, in place to provide that support as fast as possible?
- Has your information security team conducted cyber due diligence on your suppliers – could an attacker gain access to your systems via a third party interaction? Have you had a cyber preparedness assessment?
- Does your legal team understand the potential liabilities of a data breach? Do they have the correct external relationships to support rapid decision making?
- Do your risk and finance teams understand your insurance position, business interruption or cyber remediation cover, compensation policy and credit monitoring approach?
Cyber risk awareness is a broad and important area requiring strong support across the organization.
Prepare – it is the only way to deliver a credible, professional response to a cyber crisis
If we accept that cyber incidents are inevitable and a critical reputation risk, preparing an effective cyber incident response is no longer an option.
The speed of the response can determine how well the situation will be managed and resolved. A quick response requires pre-prepared tools, processes, procedures, checklists and structures, as well as responders who understand their roles and responsibilities and recognise where they are empowered to act.
While high impact cyber incidents are, in many ways, similar to other crises a senior management team might face, their uncertainty and complexity provoke unique challenges.
Crisis management frameworks and capability should be reviewed against cyber scenarios; crisis management plans may benefit from a ‘cyber response annex’; and exercises should build your teams understanding and competence in the risk and be conducted at different levels.
Give technical teams a chance to use their analytical tools, understand how long the various proposed actions might take, practice detailed tracking and log analysis, test information flows and reporting, and ultimately manage a coherent technical response. Work flows should not just be on paper – they need validating in real time to reveal gaps and potential issues.
Give senior executives the chance to acquaint themselves with cyber risk in ‘peacetime’ and realise how complex a data breach response can be. During cyber exercises we frequently see them develop very different response strategies to other crisis scenarios.
Scenarios should also explore the links between incident management and crisis management levels – referred to as silver and gold by some, tactical and strategic by others – to test information flow and situational awareness.
Avoid repeating your errors – identify and embed the lessons
There is often a tendency following a crisis or near miss to breathe a sigh of relief and rush back to business as usual. But there is much still to do. It is important to understand why the incident happened in the first place, as well as identify and learn lessons from the incident response to improve for next time.
We frequently observe, however, organizations failing to learn lessons from incidents they – or others – have suffered. Even when an investigation is carried out, the lessons are not always widely shared, let alone learnt. Suffering a cyber incident is only unfortunate the first time, if it happens a second or third – when attackers start to recognise a vulnerable organization as a weak target – and you fail to respond effectively, it will not go unnoticed.
Conducting a post incident review, identifying what worked well and didn’t, is a sign of a mature organization keen to learn and develop. Taking the lessons and then generating change is an even greater challenge but does more than repay the effort. Non-executive directors and other board members can provide the much needed leadership and governance to ensure reviews are done, lessons are carried forward, and incidents do not repeat themselves.
As stated earlier, good cyber incident response can make or break an organization’s reputation. If your organization can get its cyber security governance, cyber awareness, cyber incident response preparedness and review process right, you will be on the right path.
Cyber risks and crises are here to stay – start work now to ensure your organization does not suffer unnecessary financial and reputational impacts.
Dominic Cockram is a director of Regester Larkin and managing director of Steelhenge Consulting. To discuss any of the issues raised in this article please get in touch with Dominic at email@example.com