Do you know how to respond to a cyber breach?
Most organisations in the UK have experienced a cyber security breach. But not all of them prepared an adequate response plan before the breach happened.
At first you may not realise that you have been breached. But once you do realise, it is important to have a robust response plan in place.
And an essential part of that plan is having a multifunctional response team that you can rely on. “Multifunctional” because you simply can’t rely on a few stressed IT execs to handle the whole of the problem.
So who should be in your team?
You can't rely on a single person to manage cyber incidents. So you will need to decide who is best suited within your organisation to include in your response team. And don't forget that some of the most appropriate people to use may well be sitting outside your organisation - legal advisors perhaps, or cyber security specialists.
- You will need a leader. Not necessarily your head of IT, though. If your organisation has a chief information security officer role, then this person may be appropriate. But only if their experience is wider than solving technical issues. Otherwise you will need a senior member of your executive team who can coordinate the different functions.
- Then, of course, you will need someone from your IT or data security team. This person is going to be responsible for the technical issues – stopping any breach getting worse and where appropriate making sure that any data that can be used as evidence is collected and stored safely.
- You will need someone who can keep an eye on the legal and regulatory issues. If it is a simple data breach then your data privacy officer (if you have one) will be the right choice to liaise with the regulator (the Information Commissioner’s Office in the UK). But sometimes the issues may look as though they will go beyond simple compliance with the Data Protection Act. If there are contractual, libel, personal injury or criminal considerations, then you may need a lawyer on your team.
- You will also need someone to handle communications to, and from, employees. This is an important role for a number of reasons. Your employees can be your eyes and ears during a crisis, reporting useful information to you. But they also need to know what to say, and what not to say, to people who may ask them about the breach – fellow employees, journalists, customers, family and friends. And of course it is possible they may be worried about the implications of a data breach on their own jobs. So it is essential to keep them informed and motivated.
- You will also need someone who can manage external communications. This may well be a very demanding role as there could be a number of competing channels to manage: journalists, social media, emails and phone calls from customers and other stakeholders.
- Finally, if the situation demands it, you may well need a board representative. This is someone who can keep the directors and owners of your organisation informed and confident that the situation is being resolved.
That’s a fairly big team. And of course you should have access to appropriate deputies, as people always go on holiday at the most inconvenient times.
There is one other person you will need though before you call your team together, and that is a triage specialist. Not every cyber incident is a crisis that merits calling the response team out, so you need someone who can evaluate the nature of any incident that has been uncovered and decide what sort of response it requires.
Is this something for marketing and the social media team to keep an eye on or for customer service to respond to? Is it a minor leak that won’t hurt anyone and that doesn’t merit any action beyond plugging the leak against future incidents? Or is it a full-blown crisis that needs a strong response?
Incidents can be uncovered in many different ways – by IT execs monitoring network traffic, by marketing staff monitoring social media, by salespeople talking to concerned customers and by any employee seeing unusual activity on a workstation. So whoever spots a suspicious circumstance, they need a clear path to report their worries to someone who can then decide on the level of action that is needed.
Responding to incidents
Once an incident has been discovered and triaged as something that needs the incident response team to handle, you will need to have a structured process to run through, a "playbook" of actions needed when handling a particular incident. This is likely to involve several separate stages:
- The initial analysis of the incident: what it is and why it is happening
- Containing the incident and repairing any damage that needs fixing quickly
- Communicating, internally and externally, throughout the time the incident is being managed, and for a time afterwards
- After the incident has been managed, analysis of what what went well and what could have been handled better; updates to your incident playbook should then take place
- Implementation of any additional preventative and impact-reduction processes to make your organisation more secure in the future
Creating a plan isn't enough though. Take it down from the shelf, dust it off, and practise it on a regular basis. Otherwise it is more than likely that your plan won't work in the way you hope when you face a real crisis. So make sure you run regular breach scenarios where people can explore their understanding of the roles they need to play and where practical issues - such as whether you have the contact details of all the members of the IRT and their deputies - can be tested.
Deciding how to react to a cyber security incident isn’t simple. If you want to learn more then why not come to our next cyber breach response workshop in central London on 20 February and learn from Phil Cracknell’s 20 years’ experience as a CISO to create a response plan that can stop a major cyber security incident from turning into a business crisis.