Business continuity consultant, Charlie Maclean-Bristol FBCI, recently conducted a response exercise using cyber attack as the scenario. In this article he captures ten lessons learnt from conducting the exercise:
Lesson one: I don’t think you need to be an IT security expert to conduct a cyber attack exercise. The technical element of the exercise is done by IT, and if you are looking at the first 24 hours of an incident then you don’t have to be too specific about how the attack took place, just about what the consequence of the attack was.
Lesson two: To be credible you have to do some reading on how other attacks have taken place, what the consequences of them were, and how to respond to them. There is a lot of guidance on the web about this so it is not very difficult to get yourself up to speed on the subject. One particular document I thought was useful was the National Institute of Standards and Technology (NIST) ‘Computer Security Incident Handling Guide.’ It is reasonably technical but it contains lots of useful advice for those who are non-technical.
Lesson three: One of the first lessons learnt during the exercise was how would the news of a data breach come into the organization, and how would the incident team who is responsible for managing any incident be made aware of it? There was a fear that the information might stay amongst senior managers, or IT, and those charged with managing the incident might not immediately be informed. Who within your organization is responsible for managing the response to a cyber attack, and are IT and senior management aware of how an incident would be managed?
Lesson four: If the personal information of your staff held by the organization was compromised, including their dates of birth and financial information, do you have in place a pre-written communication which informs them of the risk and goes through the process for staff to check if they could be a victim of identity fraud and giving them useful advice? It was felt during the exercise that this information should be pre-prepared as it might take some time to collate the appropriate information together.
Lesson five: It was also felt that it would be useful to have prepared in advance what information security the organization has in place, and any standard they adhere to. So if there was a breach, or a potential breach, you could immediately ensue the robust processes are carried out. This is when having ISO 27001 would be very useful, as you could then say you take data security very seriously, your information security is externally audited, and you are certified to ISO2 7001.
Lesson six: If you outsource any part of your IT to a third party, have you thought through how you would work with that organization to respond to an incident?
Lesson seven: One of the key decisions to be made during an incident is when will you inform your stakeholders, or those who could be affected by the breach, that the incident has happened. My reading on the subject said that if you do it too early you might not know the true facts, and it may be worse than you initially thought. While if you leave it too late, it looks like you are trying to cover up the event. An exercise is a good forum to have this discussion rather than during an incident.
Lesson eight: Communications during a cyber incident are going to be key, but often the plans in place for this only deal with the technical response to the incident and communicating with stakeholders. You need to ensure that your existing incident communication plans are robust enough to deal with a cyber incident.
Lesson nine: Have you thought about the insider threat? Snowden didn’t hack into the NSA to get the information he is presently releasing, he was an IT contractor working directly on the systems. Are you vetting appropriately your contractors and keeping records of who has had access to what systems?
Lesson ten: Last of all, incident prevention is better than cure, and sometimes good management of information security can prevent an incident.
The author
Charlie Maclean-Bristol FBCI is Director of Training at PlanB Consulting.
