Bulletin / The Differences Between...

The Differences Between a Cyber and a 'Normal' Incident

Author: Charlie Maclean-Bristol, Training Director, FBCI, FEPS

This week, to celebrate our updated cyber course, BCT Certificate in Cyber Incident Management, we take a look back at some of the similarities between cyber and 'normal' incidents!

There are of course many similarities between a cyber and 'normal' incident, in that the incident could have serious consequences, needs an incident management infrastructure to manage the incident and has a crisis communications element. Secondly, a cyber incident may cause a normal incident, so an attack on a power grid may lead to a power company having to manage customers with no power or a ransomware attack may impact company systems, leading to the organisation having no access to IT or telephony systems. There are a number of differences between the two types of incidents and these may cause you to manage a cyber incident differently, even if the consequence of the attack is the same.

The main differences are as follows:

1. A cyber attack can result in high-risk consequences for an organisation, in terms of impact and reputation. It also has high-risk consequences for those responding! Equifax lost their CEO, CIO and CSO after their massive loss of data in the autumn of 2017. The senior executives of other organisations who have had a cyber breach have suffered the same fate.

2. Due to the reporting requirements of data breaches and especially the reporting requirements of GDPR, it will be difficult for the organisation to keep quiet about the incident, which means damage to the organisation's reputation is very likely. The impact of a cyber incident can go way beyond the immediate victim - the organisation. Under GDPR you are also required to contact those people who have also been affected, so once again a cyber incident could impact many more stakeholders than a "normal" incident. Equifax lost 143 million records, which is a lot of people to contact and for the organisation to have a negative impact on.

3. An office block burning down is not very interesting in terms of news coverage, but a cyber attack on a well known company attracts more public and media attention. As cyber attacks are happening more frequently now and to more and more different organisations, will the interest wane and the public and media attention turn to a different threat?

4. The consequence of an attack may be invisible. A hacker could've been in your systems for 200+ days and taken all the information assets, data and intellectual property they want, but there could be no actual impact on the organisation’s IT systems and still be running normally. You may not know that you have had an incident until someone tells you. You can’t manage an incident if you don’t know one is taking place. If your headquarters building goes on fire, the incident will be entirely obvious. It is difficult to explain how you had cyber incident weeks, months or, in some cases, years ago and you have only just noticed now.

5. If the cyber attack is targeted against your organisation, you have the additional issue of trying to manage the incident and recover from it, at the same time knowing that someone has done this deliberately. You would have good reason to worry about what else they might have done and whether they could do the same again or something worse next time. What can the organisation do to protect itself? Sometimes the feeling is similar to being burgled; it takes a long time to feel safe again and in the back of your mind you are always thinking that it might happen again.

6. At the beginning of the incident, you may not know the full impact of the breach and it may take several days to understand the full consequences, what has occurred and what you have lost. At the same time, your customers, staff and regulators may be putting you under a lot of pressure to give them all the information on the incident. If your initial assessment is wrong and you have to admit that the loss of data was greater than you said initially, at best you look incompetent and at worst dishonest, as you were trying to cover up the full extent of the breach. Under GDPR you only have three days to provide information about the full extent of the breach and who has been affected to the Information Commissioners Office.

With a cyber event, the impact could be wider, the consequences greater, the public scrutiny more intense and there is also the issue of trying to manage an incident without really knowing what happened, who did it and what has been lost. The stakes are higher and the impact of failure greater, especially on senior management and the organisation’s reputation.



Watch our free cyber webinar recordings to inspire you or learn more! Click here >

You might be interested in the following stories

Cyber Data Risk Assessment

Cyber Incident Management Training - 10 Lessons Learned

What lessons can we learn from Marriott’s response to their Cyber Breach?

You may be interested in the following course

BCT Certificate in Cyber Incident Management (NCSC Certified Training) course

Sign-up to our newsletter

We value your privacy

We use cookies to enhance your browsing experience, serve personalised ads and understand how our website is used. By clicking "Accept All", you consent to our use of cookies. Our cookie policy