What to Do When the Worst Happens: Addressing and Recovering from a Cyber-Attack

There’s No Security Through Obscurity

A fallacy used to pervade that if businesses could fly under the radar they could stay out of cybercriminals’ crosshairs. This could lead to a degree of complacency when it came to implementing appropriate cyber security arrangements.

Any complacency this fallacy feeds is dangerous. Anonymity is not an effective deterrent against a potential attacker – in fact, as we explored in a recent blog, cybercriminals are increasingly setting their sights on smaller businesses precisely because they believe their cyber security postures are less robust than those of larger enterprises.

Preparation is Everything

If you invest sufficiently in your security incident response readiness, you will give your business the best possible chance of reacting effectively to a cyber-attack. During the seminar our Principle GRC Consultant Mark Arcatinis explained the importance of adopting a three phased approach:

• Assess Readiness. Understand the efficacy and maturity of your organisation’s security controls across people, processes, and technology.
• Improve Readiness. Prioritise remediation efforts in accordance with your assessed threat and defined risk appetites.
• Test Readiness. Carry out scenario testing to assess your capabilities across strategic, operational and technical response.

Our Head of Cyber Security Assurance Michele Peroli ran the delegates through some real-life examples of how preparedness makes a huge impact on our Cyber Incident Response Team’s ability to deliver effective support to businesses when they are hit by a cyber-attack.

Prioritise Your Main Threats

Effective cyber security preparedness is all about prioritising efforts towards where cybercriminals may seek to attack you. Like all organisations, you will be targeted through phishing emails and ransomware attacks. But other methods may well be unique to the industries you operate in.

The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. By using the framework, you can triangulate which hacker groups are targeting your industry and the attacks they are using – give you useful intelligence around areas of your cyber security posture you should prioritise.

Don’t Overcomplicate Things

When your business is hit with a cyber-attack and you need to respond, time is of the essence. Get bogged down in too much bureaucracy, and you risk allowing the attack to spread and worsen when a more streamlined approach would have minimised the damage caused.

During the seminar our Cyber Security Assurance Technical Director Andy Swift explained how creating a small, efficient working group and empowering it to make rapid decisions as an incident evolves is an important aspect of an effective incident response. Nominated senior decision makers should be part of this group – minutes lost escalating decisions can be critical.

Get Your Crisis Communications Right

Every crisis is unique. The response to every crisis will turn on the facts – how many customers are impacted, what the wider implications are, what you know, what you don’t know, and even what you don’t know you don’t know. This can make it blurry. But the general rules of responding to a crisis are the same. And actually, when you take a step back, they are mostly common sense.

Hannah Sobolewski, Account Director at Touchdown PR, explained to delegates how crisis communications can be separated into three stages:

• Pre-Crisis. Pre-crisis is all about preparation. A fundamental part of this is deciding who will be on the crisis comms team – not to be confused with your comms department. The crisis comms team will include members of your senior management, finance, technical, product, and HR departments. How you communicate should also be mapped out – you will need to be able to communicate and make decisions 24×7.
• Crisis. An incident has happened – tell your crisis comms team fast. Once the facts are established, two things should happen almost simultaneously. First, customers and other stakeholders should be informed. Then, at almost exactly the same time, a public statement should be made – you don’t want a customer breaking the story. At all times you need to control the narrative. If the media does have questions, the crisis comms team will need to deliver short, factual answers, fast. Any press statements should be made by a senior team member, usually the CEO.
• Post-Crisis. Post-crisis is when the business is returning to normal. The situation should still be monitored by the crisis comms team.

Be Kind – This Isn’t a Blame Game

In the final session of the seminar, our Chief Product and Technology Officer Phil Wood shared first-hand experience of responding to a cyber-attack. One of his insights was around the psychological effects a cyber-attack can have on employees – especially those involved directly in IT and cyber security.

Cyber incidents can elicit a great deal of guilt and anxiety in employees who feel that they are somehow to blame for letting the incident happen. Engage them early on, with the support of your HR department, to reassure them that the business is not trying to apportion blame; their jobs are not at risk; and that the focus is purely on control and recovery.

This is incredibly important messaging to share with them that will not only improve their mental wellbeing but also make them more impactful allies in the business’ journey to recovery.

Improving our Cyber Understanding Together

The cyber security landscape is constantly evolving, with new risks emerging all the time. By accepting that cyber incidents will happen and investing time to prepare ourselves for when they do, we will reduce the cyber security risks we face both as individuals and together as organisations.

Cyber University is an ongoing series of seminars. Register your interest in joining the Cyber University for free here.