There are some significant differences between a cyber incident and the usual type of incidents that business continuity professionals are involved in managing. Charlie Maclean Bristol looks at what the differences and why they may affect how the incident is managed.
Recently, I have run both a one and a two day Managing and Preparing for Cyber Incidents training course and, as a result, I am in the cyber incident management ‘zone’. So, I thought I would share some feedback from the classes on what they thought were the differences between managing a cyber incident and managing a ‘normal’ incident.
Of course, there are many similarities, in that the incident could have serious consequences, needs an incident management infrastructure to manage the incident and has a crisis communications element. Secondly, a cyber incident may cause a normal incident, so an attack on a power grid may lead to a power company having to manage customers with no power; or a ransomware attack may impact company systems, leading to the organization having no access to IT or telephony systems. However, there are a number of differences between the two types of incidents and these may cause you to manage a cyber incident differently, even if the consequence of the attack is the same.
The main differences are as follows:
1. The response to a cyber attack can have high risk consequences for the organization, in terms of impact and reputation. It also has high risk consequences for those responding. Equifax lost their CEO, CIO and CSO after their massive loss of data in the autumn of 2017. The senior executives of other organizations who have had a cyber breach have suffered the same fate.
2. Due to the reporting requirements of data breaches and especially the reporting requirements of GDPR, it will be difficult for the organization to keep quiet about the incident, which means reputational damage is more likely. The impact of a cyber incident can go way beyond the immediate victim - the organization. There is also a requirement under GDPR to contact those affected, so again a cyber incident could impact many more stakeholders than a normal incident. Equifax lost 143m records, which is a lot of people to contact and for the organization to have a negative impact on.
3. An office block burning down is not very interesting in terms of global news coverage, but a cyber attack on a well-known name attracts more public and media attention. As cyber attacks seem to happen more frequently and to more and more different organizations, will interest wane and the public and media attention turn to a different threat?
4. The consequence of an attack may be invisible. A hacker could have been in your systems for 200+ days and taken all the information assets, data and intellectual property they want, but there could be no actual impact on the organization’s IT systems and they could still be running normally. You may not know that you have had an incident until someone tells you. You can’t manage an incident if you don’t know one is taking place. If your headquarters building goes on fire, the incident will be entirely obvious. It is difficult to explain how you had a cyber incident weeks, months or, in some cases, years ago and you have only just noticed now.
5. If the cyber attack is targeted against your organization, you have the additional issue of trying to manage the incident and recover from it, at the same time knowing that someone has done this deliberately. You would have good reason to worry about what else they might have done and whether they could do the same again or something worse next time. What can the organization do to protect themselves? Sometimes the feeling is similar to being burgled; it takes a long time to feel safe again and in the back of your mind you are always thinking that it might happen again.
6. At the beginning of the incident, you may not know the full impact of the breach and it may take several days to understand the full consequences, what has occurred and what you have lost. At the same time, your customers, staff and regulators may be putting you under a lot of pressure to give them all the information on the incident. If your initial assessment is wrong and you have to admit that the loss of data was greater than you said initially, at best you look incompetent and at worst dishonest, as you were trying to cover up the full extent of the breach. Under GDPR you only have three days to provide information about the full extent of the breach and who has been affected to the appropriate authority. In the UK, this will be the Information Commissioners Office.
With a cyber event, the impact could be wider, the consequences greater, the public scrutiny more intense and there is also the issue of trying to manage an incident without really knowing what happened, who did it and what has been lost. The stakes are higher and the impact of failure greater, especially on senior management and the organization’s reputation.
Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.