Schillings' Cyber Experts explain what steps organisations should take to prepare for a cyberattack – and why testing your incident response plan is a vital part of these preparations.
The news is full of stories of cyber security attacks, but it is still difficult for organisations to get the resources to prepare for a potential breach if they have yet to uncover an incident that directly impacts them.
But the traditional approach of assessing whether you alone are likely to be the target of a cyberattack is no longer tenable. Today, everyone and anyone could be attacked due to their own vulnerabilities, their third-party suppliers or just by mistake (for example the NHS in 2017 with WannaCry). And remember, threats can originate from both outside and inside your organisation.
The starting point to being prepared is having a well thought through plan in place. You also need to develop the detection technologies, systems and handling processes you will need when responding to an event. Your response should be part of a wider program that follows the cycle of Identify, Protect, Detect, Respond, Recover.
Why do we need a plan?
A well planned, rehearsed and executed response will help to minimise the damage caused by a cyberattack. This could mean reducing the amount of data lost, minimising public and media impact and maintaining your reputation.
The first 72 hours of an incident are critical because GDPR and NIS (the Security of Network & Information Systems regulations) stipulate some key decisions and steps that must take place within that period. The goal should be to manage the incident in a way that reduces exposure to risk and supports business continuity. This should be done whilst gathering and preserving the evidence required to perform the risk assessment that will determine whether the Information Commissioner’s Office (ICO) - and the individuals potentially affected by the breach - need to be notified, and what other actions need to be taken.
Preparation and mitigation for data breaches are both explicitly required by the ICO, as part of your GDPR-related measures. The ICO state that you should, "Have well-defined and tested incident management processes in place in case of personal data breaches."
Who should be involved in the plan?
Having a cyberattack response plan in place will help you make good decisions under the often-intense pressure of a real incident - but for the plan to work, you need to have a team ready. The team responsible for delivering the plan when a serious cyber incident occurs needs to represent the whole business, and not just be a technical team.
The act of creating a plan will help identify gaps in your incident handling capabilities, define stakeholder roles, establish communications and escalation processes, boost collaboration and increase executive awareness to help improve security. Plan for the specific types of incidents that your team will respond to and develop step-by-step procedures that can be easily followed when you are in the eye of the storm.
If you don’t have a detailed plan in place, several things might happen. To start with, your security team and management team could struggle to both understand and respond to the incident. Without a plan in place, there is a greater chance of them making expensive mistakes. Not having a plan in place will lead to missing out key steps and could potentially expose you to fines or legal action. And insurers or regulators might want to see evidence of the steps you took; much more difficult if you haven’t been following a plan.
Reporting on and responding to a cyberattack
A cyber security incident may be spotted anywhere in the organisation and consequently be reported in different ways and to different teams – your IT helpdesk, an outsourced IT provider, IT security, legal, HR, PR. Each of these teams needs guidance on how to identify something they should report and who they should report it to. These incidents need to be reported quickly and clear guidance in plans helps with this process.
All possible incident alerts should be routed to the team responsible for managing them. They can then assess and triage the incident, and also correlate with other information they gather about your organisation, your sector and the wider cyber landscape (using resources such as CiSP – the Cyber Security Information Sharing Partnership, a joint industry and government initiative run by the UK’s NCSC
The incident team should be able to easily share data and relevant information, which is crucial to being able to respond effectively. A degree of foresight to establish trustworthy out-of-bounds communications channels is required in case the primary source of communication between the incident team becomes unavailable or compromised.
Keeping a careful record of the incident response, decisions made, actions taken, data captured (or missing) is incredibly useful for post-incident reviews. This is especially true if you will need to present evidence of your response to a regulatory body.
As more is uncovered about the nature of the attack or incident, it is possible to determine more actions that can be taken to contain it - you should look to contain the attack early on, since this may be critical when faced with an incident where damage or loss is ongoing.
Testing your plan
But before any of this, you should carry out a mock cyber security event (loss of data, ransomware, loss of email) to show up areas of security vulnerability, processes that could be improved and gaps in your security posture. Testing your plan will show regulators that you have taken cyber security and data privacy seriously. Aim to exercise at least one aspect of cyber security every year. It’s also important that any incident management plan should be thought of as a living document that is regularly reviewed and updated as the business changes.
It may be that an exercise will highlight that your crisis management team only needs to include three people. On a recent exercise with a senior management team, it quickly became apparent that the only people needed for decision making were the CEO and the CISO. All others on the exercise apart from the note taker were either deputies (who needed to know what to do if the CEO and/or CISO were not available) or heads of Legal, Comms, HR and other areas of the business who were not allowed or empowered to make decisions in the event of a cyber incident within that particular organisation.
Given the rise in cyberattacks over recent years, it's increasingly clear that it’s not the size of the organisation that makes it a target a cyberattack, but the sensitivity of the data it holds. Being prepared and having a plan in place – no matter the perceived level of risk – is vital. And having a plan without testing it is preparing to fail.
This full version of this piece was originally published by the Society for Computes and Law (SCL).