This week Charlie looks at the ways in which cyber and "normal" incidents are different and why these differences may affect how the incident is managed.
Over the last ten days, I have run both a one and a two day Managing and Preparing for Cyber Incidents training course and, as a result, I am in the cyber incident management "zone". So, this week I thought I would share some feedback from the classes on what they thought were the differences between managing a cyber incident and managing a "normal" incident.
Of course, there are many similarities, in that the incident could have serious consequences, needs an incident management infrastructure to manage the incident and has a crisis communications element. Secondly, a cyber incident may cause a normal incident, so an attack on a power grid may lead to a power company having to manage customers with no power or a ransomware attack may impact company systems, leading to the organisation having no access to IT or telephony systems. There are a number of differences between the two types of incidents and these may cause you to manage a cyber incident differently, even if the consequence of the attack is the same.
The main differences are as follows:
1. The response to a cyber attack can have high risk consequences for the organisation, in terms of impact and reputation. It also has high risk consequences for those responding. Equifax lost their CEO, CIO and CSO after their massive loss of data in the autumn of 2017. The senior executives of other organisations who have had a cyber breach have suffered the same fate.
2. Due to the reporting requirements of data breaches and especially the reporting requirements of GDPR, it will be difficult for the organisation to keep quiet about the incident, which means reputational damage is more likely. The impact of a cyber incident can go way beyond the immediate victim - the organisation. There is also a requirement under GDPR to contact those affected, so again a cyber incident could impact many more stakeholders than a "normal" incident. Equifax lost 143m records, which is a lot of people to contact and for the organisation to have a negative impact on.
3. An office block burning down is not very interesting in terms of news coverage, but a cyber attack on a well known name attracts more public and media attention. As cyber attacks seem to happen more frequently and to more and more different organisations, will interest wane and the public and media attention turn to a different threat?
4. The consequence of an attack may be invisible. A hacker could have been in your systems for 200+ days and taken all the information assets, data and intellectual property they want, but there could be no actual impact on the organisation’s IT systems and they could still be running normally. You may not know that you have had an incident until someone tells you. You can’t manage an incident if you don’t know one is taking place. If your headquarters building goes on fire, the incident will be entirely obvious. It is difficult to explain how you had a cyber incident weeks, months or, in some cases, years ago and you have only just noticed now.
5. If the cyber attack is targeted against your organisation, you have the additional issue of trying to manage the incident and recover from it, at the same time knowing that someone has done this deliberately. You would have good reason to worry about what else they might have done and whether they could do the same again or something worse next time. What can the organisation do to protect themselves? Sometimes the feeling is similar to being burgled; it takes a long time to feel safe again and in the back of your mind you are always thinking that it might happen again.
6. At the beginning of the incident, you may not know the full impact of the breach and it may take several days to understand the full consequences, what has occurred and what you have lost. At the same time, your customers, staff and regulators may be putting you under a lot of pressure to give them all the information on the incident. If your initial assessment is wrong and you have to admit that the loss of data was greater than you said initially, at best you look incompetent and at worst dishonest, as you were trying to cover up the full extent of the breach. Under GDPR you only have three days to provide information about the full extent of the breach and who has been affected to the Information Commissioners Office.
With a cyber event, the impact could be wider, the consequences greater, the public scrutiny more intense and there is also the issue of trying to manage an incident without really knowing what happened, who did it and what has been lost. The stakes are higher and the impact of failure greater, especially on senior management and the organisation’s reputation.
If you would like to make sure your organisation is prepared and knows how to manage a cyber incident, come on the two day Managing and Preparing for Cyber Incidents course in London on 5th-6th March 2018 or get in touch with BC Training to arrange an in-house course for your organisation.