This week, I want to look at cyber incident management and share my thoughts on how the response can differ from managing other incidents.
If you look at the internet there is not a lot of guidance and information on managing cyber incidents from an organisational point of view. There is a huge amount on the technological response, on everything from precautions to take in advance, to detecting events, through to resolving the issues. There is also a brisk trade by consultants in running cyber exercises, but as I said very little on how to manage the response.
Responding to a cyber-attack and managing the incident, can be very similar to responding to an event involving loss of connectivity (denial of service attack) through to encryption of your data which has to be dealt with using your disaster recovery plan. In these events all the usual facets of incident management need to be used, including internal and external communications, informing customers, dealing with the media, and social media, and managing the issues through to back to business as normal.
However, there are a number of additional elements of incident management within a cyber-attack which make the response more difficult. Hence, I think organisations should have a separate cyber response plan, carry out training with their incident teams on the plan, and then verify their understanding of the plan by conducting an exercise.
Cyber incident response is different for a number of reasons, here are a few examples:
- Behind a cyber-attack is a criminal who is controlling the attack deliberately to have a certain affect on your organisation. This is very different to a natural or manmade incident where the course of the incident is arbitrary. Whatever counter measures you take during the response to the incident may be what the cyber attacker wants you to do which could make the situation worse. Hurricanes don’t last beyond a few days and flood water recedes, however a determined cyber attacker may attack you for weeks, even months.
- When floods, fire and storms strike you can see the effect of the damage on your organisation and once the event is over you can quite quickly quantify the damage to your organisation. Once you have done this you can manage the incident and start to rebuild and recover. In a cyber-attack the damage is unseen and much more difficult to assess. If your key customer database has been copied this is much more difficult to detect. The effect of having a cyber-attack in your systems is similar to having had a burglar in your house, you feel violated, you feel unsafe in what should be a place of safety and you don’t know what they have done, or where they have been.
- Usually during a disaster recovery event you try and get the effected systems up and running as quickly as possible to lessen the effect of the incident on the organisation. During a cyber-attack you may decide to disconnect external connectivity, to prevent further access to the attackers, even for systems which are working. As most attacks are criminal actions, the police and the insurance company may ask you to preserve systems in their attacked state so that forensic evidence may be taken from them. This is likely to be in conflict with the organisation who would like to get them back up and running, to lessen the effect of the incident on the organisation. The incident management team, in their training, should be aware of the likelihood of having to make decisions on issues such as these.
- Many incidents, especially in non-regulated industries do not have to be reported externally and so may be resolved without anyone outside the organisation knowing. Cyber incidents have statutory reporting and so the likelihood of people outside the organisation knowing about the incident is more likely.
- We must remember that a cyber-attack on an organisation is a premeditated criminal action where your organisation is the victim. Watching the news, if a cyber-attack takes place on your organisation it's not treated as a victim. The attitude is that it is your own fault in that you didn’t have appropriate information security measures in place. Once your name is associated with a cyber-attack it is very difficult to rebuild your brand and reputation. Whenever people mention cyber-attacks in the UK, Talk Talk is always the case quoted and it is taking them a very long time to build their reputation and move on from the incident.
Cyber response to incidents is not just about a technical response but it is about the organisation responding to an incident which just happens to be caused by a cyber attack. On the other hand, incident teams have to be taught within their training and their plan that there are a number of unique elements in the response to a cyber attack. Difficult decisions need to be taken and the team needs to be aware of what these are.
BC Training is considering writing a one day Cyber Incident Management course and would be interested in your comments on whether we should go ahead and write the course and what elements of cyber response you think it should contain?