Cyber Incident Management Training – 10 Lessons Learned

Sep 8, 2017

This week Charlie looks at the lessons learned during our first Managing and Preparing for Cyber Incidents course.

Yesterday, I ran Managing and Preparing for Cyber Incidents for the first time and I thought I would share ten lessons that were learned during the training.

1. When you have decisions to make that involve 2-3 different potential outcomes, it might be a good idea to develop a playbook for managing the incident. This will help your incident team choose one of the options available, depending on the circumstances of the incident. See my previous bulletin, What is a playbook and do you need one?, for details as to what should be included in a playbook.

2. You need to get your senior managers to understand your IT, including where it is situated and what the risks, capabilities and level of preparedness for a cyber incident are.

3. In a cyber incident, is the CEO the best person to be the organisation’s spokesperson or is it better to have an alternative spokesperson? With an alternative spokesperson, there is an ability to escalate the communications response to a more senior manager if required.

4. As part of your communications strategy, are you going to decide to portray yourself as the victim or the villain? Are you an innocent victim who has been hacked or was your IT security lax and therefore you are the villain, for not protecting your stakeholder’s data securely?

5. Have you practised your senior management team’s ability to make decisions, with far-reaching consequences and without access to all the facts of the incident?

6. Does your senior management team know the answers to the likely questions the media are going to ask after a cyber incident? Have you got a list of the other questions the media may ask, which the spokesperson needs to be briefed on?

7. Are the members of your incident management team and senior managers aware of the capabilities of the organisation? For example, if you want to isolate your systems from the outside world i.e. “pull the plug”, then how long does this task take and how easily is it carried out?

8. Has your organisation carried out a vulnerable analysis to ascertain the following?

a. What do we have that others might want?

b. What data do we hold?

    i. Intellectual property

    ii. Negotiating positions

    iii. Staff data

    iv. Customer data

    v. Personal information

c. What is the most embarrassing bit of information we hold?

d. Do you have data which can be exploited for financial gain?

e. Ability to transact financial fraud (credit card numbers, bank details, etc.)

f.  Possible impacts on operations (SCADA, integrated supply chain, etc.)

9. Does your organisation have a plan in place with the associated pre-written communications for what to say to staff, if their information held in company systems is compromised? Are you able to provide appropriate help to them if they are a victim of identity theft?

10. How can you demonstrate to customers, regulators and stakeholders you have taken appropriate measures to protect yourself? Consider certifying to ISO 27001 or Cyber Essentials Plus, which are both badges you can use to demonstrate your commitment to information security.


BCI Education Month Discounts – 1st-30th September 2017 

As part of BCI Education Month, we are offering the following discounts:

20% off public scheduled courses and BCI E-Learning Building Resilience*   

10% off CBCI Online Training Course with Exam*

50% off VIA-C and Good Practice Guidelines 2013** 

Sign up to our Education Month webinar by clicking here – “Out with the old, in with the new: Changing perceptions of Business Continuity”, with Chris Rhodes and Gordon Brown from PlanB Consulting – Friday 22nd September @ 11am BST

*Only applies to courses purchased between 1st and 30th September 2017, and taken before 31st December 2017. Offer does not include PECB courses.

**Only applies to products purchased between 1st and 30th September 2017.

Sign-up to our Newsletter

"*" indicates required fields