Teiss Head of Training and Consulting, Jeremy Swinfen Green, explains how organisations need to use a structured approach when dealing with a cyber breach.
New research from the London Chamber of Commerce indicates that around 40% of mid-sized and large UK companies have experienced a data breach in the last year.
It’s clear that preparing for a cyber security incident is an important part of a strategy to reduce their impact. A structured plan can help organisations manage internal and external communications effectively, preserve evidence for legal suits and insurance claims, and reduce the damage caused by intruders.
So what should a plan look like? In most cases plans can be illustrated by a fairly simple workflow that could look something like this:
Each of the stages in the workflow is important although this, and the activities they represent, will vary depending on the nature of the breach.
Detecting an incident
It takes a while to detect a cyber breach. Estimates vary from over 80 days to over 200 and during that time hackers can be exploring IT networks, laying down “back doors” they can use in the future, evaluating the relative worth of your data (and deciding how best it can be used), and finally stealing it, while very possibly causing damage to your network as a way of hiding their tracks.
Having effective systems to detect attacks is important obviously.
Triaging an incident
Once an incident has been detected it needs to be triaged. This involves deciding what action needs to be taken and who needs to be in charge of taking that action.
In some cases no response will be required. In other cases the decision may be to maintain a watching brief on suspicious activity. But sometimes an immediate response will be needed, typically (but not always) by the head of your cyber security team.
Mobilising the plan
If you decide action is needed that is when you pre-prepared response plans can be rolled out. You will of course have different plans for different types of incident, with the details, including the roles and responsibilities of the team responsible for managing the incident, collected together in your “scenario playbook”.
Investigate, contain, repair
The first responsibility of the incident response team (IRT) is to find out what is happening and contain any damage if possible. It will be important not to jump to conclusions. Is that ransomware attack something that could take down the whole of your organisation’s communications; or is it a hoax. Is the massively increased traffic on your website a “DDoS” attack or simply the result of a new and successful marketing campaign?
If damage can be contained it should be. But repair won’t necessarily take place at one: you may need to maintain systems as they are in their damaged state for your insurance company or even for the police.
At the same time that some members of your IRT are investigating the incident and trying to repair any damage, other team members will be communicating with appropriate stakeholders, internally (for instance with employees and with the Board) and externally (for instance with specialist services, business partners, customers, the media and the regulator).
Knowing what to say, when to say it, and how to say it, will be an important part of reducing reputational damage, maintaining employee morale, and keeping important stakeholders such as shareholders, banks and regulators on side.
Once the dust has settled it is time to evaluate what has happened. What went well? What could have been done (or said) better?
You will want to update your scenario playbook so that if a similar incident happens again you are even better prepared.
It’s not just about improving your response though. You also want to use your learning to improve your risk strategy and mitigations so that a similar incident in the future is less likely.
Why did the incident happen? Who was responsible, internally and externally? What might have prevented it? How might its initial impact and extent have been reduced? Hard questions to answer, but if you don’t ask those questions you certainly won’t improve your defences!
It shouldn’t be difficult
Cyber breaches are likely to happen to your organisation. You may well have third party specialists or suppliers signed up to manage your response. But even if you do, that doesn’t mean you can leave everything to them. It is still important to know how you want to react and what actions you can take to reduce the impact of the breach.
Without sufficient preparation you can have no chance of this.
Teiss offers a variety of training solutions including training on cyber breach management, including one-day workshops and online courses, designed to help you reduce the damage to your organisation caused by cyber breaches.
Want to know more about how to help your organisation respond to cyber breaches? Do you have your own tips and tricks you would like to share? Please get in touch with our Head of Training and Consulting, Jeremy Swinfen Green at firstname.lastname@example.org.
Image reproduced under licence from thinkstockphotos.co.uk copyright kentoh