teissTalk: Leading remote Incident Response and crisis simulation

teissTalk: Leading remote Incident Response and crisis simulation

teissTalk Guest Host Rene Millman was joined by Deborah Haworth, CISO, Penguin Random House; David Cartwright, Head of IT Security, Standard Bank International Client Solutions; and Chris Pace, Vice President, Product and Content Marketing, Immersive Labs

Views on news

The recent Tesco hack that was originally dubbed as “someone was trying to interfere with our systems” demonstrates how instrumental the comms team is to a successful incident response. In a couple of days after the incident updates to customers regarding their personal and card data, a public apology or reassuring messages were still missing from Tesco’s communications despite the sensitivity, criminal and marketing value of the type of data potential criminals could have put their hands on.

Tesco as a public company, on the other hand, has a maximum of 72 hours to report to ICO. Another mistake that companies tend to commit is getting unjustifiably bullish regarding data security in their communications, which then rings overblown and hollow when the true scale of the breach has been revealed. The best tack is to be transparent about what’s happening and keep stakeholders in the loop throughout. However, the answer to how open post-incident communications should be may be different for each organisation.

Building muscle memory and the necessity of thinking on your feet

Rehearsing for disruptive incidents – both physical and cyber – through simulations is key to building muscle memory across the organisation. Cyber teams are just on among the many different teams of organisers and administrators that need to be involved in incident response. There always needs to be a playbook readily available when a real incident happens, but it’s equally important to make judgement calls when unexpected scenarios arise.

Interestingly, remote working arrangements have made incident response a somewhat simpler task. Business recovery suite cancellations are expected to increase, as most organisations now are able to send staff home ad switch to remote and business continuity is becoming easier to maintain. Meanwhile, collaboration tool subscriptions are anticipated rising, as upholding internal communication during an incident may involve redirecting all communications from one platform that goes down to another still up and running, for example from email to what’s up. Incident response is another area where there is no right or wrong while it’s happening – it’s only the outcome that verifies a judgement call as good or bad in the ‘lessons learnt’ stage.

Panellists’ advice

Extensive planning can make exercises much more effective. As to their size and length, not all of them need to be day-long, full-blown exercises. However, make your simulations as cross-organisational as possible. To involve the C-suite, for example, plan one-hour mini-exercises. Never stop either your exercise or a real incident response before the ‘lesson learnt’ stage.

Stick to the procedures contained in your playbook but also reassess your risk landscape on the go.

If an actual attack occurs, regard it as an exercise with real life relevance and don’t forget about the take-aways either.

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]