Looking After Your People During a Cyber Incident

Apr 1, 2022

This week, Charlie discusses why it is so important to look after your staff after a cyber incident.

Yesterday, I taught the pilot of a new Cyber Incident Management course. This course is a day-long course which I developed for a client to use internally to ensure that the managers within the organisation have a greater understanding of what cyber incident management is, and highlights some of the issues they might face. We are looking for an NCSC certification for this course, and so we wanted to carry out a pilot of the course before submitting it to scrutiny, in order to hopefully receive the certification. Here at BCT, we already have one NCSC certified course, but plan to add another. As part of the course, I did a contemporary case study and as part of the case study, I commented on some of the issues people faced during their response. Combined with a webinar I watched last week, I thought I would share and explore some ideas on the above subject.

Many ideas surrounding, ‘looking after your staff after a cyber incident’, are very similar to issues faced by staff in a ‘normal’ incident. However, I think there are some differences too, as staff would need to be communicated with and the tools normally used to do this might not be available during a cyber incident.

A few thoughts:

  1. What are the skills needed to respond to a cyber incident? Especially technical skills. Are they invested in a few people within the organisation? Also, those managing the incident should make sure that they are well looked after, so that they don’t become burnt out whilst working overtime and under pressure.
  2. If you have a ransomware lockout, then your normal channels of communication between internal staff may not be available, especially if this is by email or using the internet. Staff need to be informed that if they cannot get information through normal channels at the beginning of an incident, they should know of a predetermined alternative means. In the initial few days, it might be difficult to contact all your staff, so this becomes even more important.
  3. If there is a major ransomware attack, the organisation may not know who its staff are. Each manager and colleague will know, but the list of staff will have to be rebuilt; having a hard copy of the staff list with their contact details should be considered.
  4. If a cyber-attack occurs and access to all systems is lost, it can be very disorienting for your staff. It’s similar to the shock of seeing your workplace burn down. You spend a lot of time working on a PC, you have it configured for your own use, you have your shortcuts, and know where to find things. Secondly, if data has been exfiltrated and then posted on the dark web, this again can make staff feel violated, a similar feeling to being burgled. I think it is important to recognise the shock and to acknowledge your staff members’ feelings, and you may need to take measures to help staff members work through their anxiety.
  5. During a couple of incidents I have listed staff experiences, and in both cases they have had some staff working extremely long hours under a lot of pressure, whereas others have nothing to do as their systems are unavailable.
  6. I recently attended Maersk’s webinar, where the presenter spoke about the complete loss of IT due to the NotPetya malware. During that incident, the IT staff were working 18-hour shifts, and were having to go to the hotel next door for a few hours to sleep before having to come back into work again, whilst others were sent home to do nothing until systems were back up. The HR department was desperate to do something to help, but there was nothing anyone could really do. One of the people in the IT department suggested the idea to do the technical engineer’s washing as they were not able to go home. So during the initial response, HR did their bit, however I think we need to recognise the strong desire of people to help, especially if they can’t work. As a result, a manager should be allocated to identify tasks that need doing, and link them up with people who want to help.
  7. In both the Maersk cyber-attack and the case study I presented, both organisations were very open about the incident. Although, I did wonder if the staff members were meant to keep the situation a secret… This would put additional stress on the staff, due to not being sure who knew and who didn’t know about it.
  8. In all incidents, there will always be a high reliance on the goodwill of staff to put in the additional time and effort to respond to any situations that may occur, a cyber incident is no different.

I just wonder if it’s the case that IT is critical to the delivery of most of our products and services, whether staff might get overwhelmed by the enormity of the response challenge, and their goodwill may be diminished.

There are of course the incident activities that are also needed in every incident such as, communication, perhaps an update at the same time and every single day, senior management visibility, offering to help staff and to support. The old adage is that people are our greatest asset, and if this is true then we should ensure that within our cyber response plans and playbooks there are procedures for looking after people. Similar to what we would find in hazard and natural disaster response plans.

Sign-up to our Newsletter

"*" indicates required fields