There is an old Irish anecdote that goes when a tourist asked for directions, the local wag replied: “Well, I wouldn’t start from here.” In much the same way, all cybersecurity experts agree that a tried and tested crisis management plan should be in place already but equally, all echo the infamous Dad’s Army catchphrase “don’t panic” regardless.
Howard Shortt, director in the forensics and cyber practice for Grant Thornton, stresses the need to ascertain that it is actually a crisis and not a blip. If certain predetermined thresholds have been reached, then it is time for senior management to jump into action.
“Often the first thing to do will be to isolate the threat by unplugging the network or removing certain devices. Organisations should have the plan to hand, literally and not stuck on a device, and the senior executives should not be surprised about their respective roles.”
Shortt says there are three key elements required to manage the crisis. The first is to know what you have, ie your asset management. The second is to know how critical each asset is — so there are different and proportionate controls for crucial systems.
“Finally, the organisation needs to know how to protect its assets through a mixture of maintenance, isolation, segregation, access control and privileged user management,” he says.
David McNamara, CEO of Commsec, also stresses the need to have a documented crisis management plan that has been tested in place.
“For example, one of the most damaging forms of cybercrime is ransomware. It is really important that the organisation has already had the conversation in advance of an attack — will they negotiate with the hackers or not. This sets the tone of everything else to follow.”
Likewise with regards to data, McNamara argues it is not enough to do backups, these need to be routinely checked to make sure they are not corrupt, held off-site and preferably encrypted with two-factor authentication in place.
In the absence of a tested plan, McNamara advises bringing in a professional as soon as possible to help run the recovery.
Communication is also critical. “In the HSE attack they were good at this. They were forced to move directly to paper-based procedures, but they made sure that everyone was up to speed. This is critical to identify what needs to be said, to whom and by which medium,” says McNamara.
Shortt quotes a similar, well-managed case this time with Norwegian company Norsk Hydro. “They agreed in advance that no ransom would be paid, they brought in a professional services company to help, and they set up a new online incident blog where they communicated to everyone frequently.”
McNamara stresses the professionalism of communication — including the requirement to report any data breaches to the Data Protection Agency within 72 hours in the case of any significant data loss.
Staff training is also critical. McNamara points out that most ransomware attacks happen when a member of staff clicks a link by mistake. “Not only do organisations need to train staff to be alert for such dangers, but also how they should react afterwards if they believe something has happened — as in to report the worry immediately, not the next day.”
EY Ireland cyber leader, Puneet Kukreja, likens the required response to a fire drill or alarm.
“Everyone should have their role, but it is important not to put two roles on the one person — for example, restoration of service and forensic analytics. During the immediate aftermath of the attack, the same person cannot fulfil both roles as both have very different outcomes.
“I always talk about the practice of good cyber hygiene, such as making sure your backups are secure, your roles are clear and increasingly that your insurance policy covers you adequately. We ask all our clients to check their insurance as the increase in cyberattacks has increased the amount of fine print that may leave an organisation vulnerable.”
Kukreja points out that while you may be on top of cyber hygiene — in the same way you mind a car with regular services, new tires when needed and check-ups — sometimes something can happen that is outside of your control.
“What if a car loses control on the other side of the road and crashes into you? You can’t necessarily predict it at the time, but your insurance should deal with the aftermath. Oh, and it’s a good idea to have a legal team on board too, especially regarding your comms channels, because client-attorney privilege can kick in should you need to, so having access to that is quite key.”
David Cullen, partner and head of technology at William Fry Solicitors, says in his experience, cyberattacks are more common now and often more aggressive and disruptive in nature.
“Threat actors will exploit every means at their disposal to seek to make a lot of money as fast as possible. We’ve seen these criminals apply pressure not just to the organisation itself, say via a ransom demand but they will also target others such as customers, personnel and even regulators with threats, such as releasing data stolen in the attack, unless monies demanded are paid.
“Overall, once a forensic investigation has determined the source, as best it can be done and the organisation is up and running again, we advise clients to look back and identify lessons to be learned. After an organisation is attacked, there is an increased likelihood of it being the subject of other attacks, so dealing with any vulnerabilities and reviewing cybersecurity is strongly advised,” says Cullen.
Shortt says: “Good practice, and practice where improvement can be made, should be documented and prioritised to help raise an organisation’s senior leadership team awareness, validate the plans, know how to respond and minimise threat success.
“In summary, threats will occur, become resilient.”