teissTalk: Managing the human element in your incident response plan

On 5 July, teissTalk host Jenny Radcliffe was joined by Daniela Lourenço, CISO, Tinka; Arnoud Tijssen, Information Security Officer, MN; and Henrik Løth Thiesen, Global Information Security & Risk Management (Director level), Vestas.

Views on news

Human error remains the most effective vector for conducting network infiltrations and data breaches, according to the SANS Institute’s annual report. The report also confirmed that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it. The study ranked maturity by five levels, from lowest to highest: non-existent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. Of the top three threats companies face (phishing, BEC, ransomware), two rely on social engineering tactics. Part of the problem lies with a lack of engagement from IT. The report suggests that investing time in security research and reporting could help executives and IT decision-makers understand the importance of training and employee vigilance. Most often end-users are blamed for falling victim to social engineering, but on many occasions, they make mistakes because they haven’t been trained properly or been given too many privileges – or, frequently, misconfiguration of automated tools is the human error causing the breach.

Security teams are reported to take 2-4 hours to communicate the results of monthly security awareness training to the top team, which may be a sign of IT’s lack of engagement. It seems to be easier to explain the threats cyber crime presents in a small company than a large and complex one.  

How to prepare for an attack

A cyber security incident in November 2021 forced Vestas to shut down IT systems across multiple business units and locations to contain the issue. Vesta took about two month to prepare a validated report on the attack from discovery. One of the lessons learnt from the breach was how exhausted the team can get when they need to work on incident response 24/7. Remuneration schemes are often unprepared for compensating staff for these extra hours. Another thing is how staff gets scarred and keep asking themselves and each other, what if it happens again?

A lot can be learnt from false positives and near misses too. You also need to work out ways in which you can support a staff member who has been targeted by a bad actor. The most important aspect you need in preparation for a cyber incident is a transparent and candid relationship between the senior infosecurity team and the C-suite and Board. Where a blame culture prevails, there will be no good communication. Daniela prefers to call the team a task force rather than label it as an incident response team as it’s not a group with permanent members but a selection of experts from different business units required to resolve a particular incident. A positive impact of cyber incidents can be that cyber risk gets more deeply integrated into the business’s risk management policy. Retrospectives after the incident has been remediated are great tools for an agile infosecurity team.