Knowing your ‘knowns’ and managing the unknown – preparing for and responding to cyber incidents 

Dominic Cockram of Regester Larkin presents some key lessons that will help organisations to prepare for the event of a cyber attack or data breach

_{In the event of a cyber attack or data breach, it is not just the systems themselves that need attention: organisations must have a cyber preparedness strategy with clear ownership and defined responsibilities (123rf/thelightwriter)}

Cyber attacks and data breaches are here to stay. As long as confidential commercial data and personal information hold a financial value on the black market, the battle between cyber criminals and corporations will continue.

While the cost of cyber attacks is well understood – TalkTalk admitted to losing £60 million in revenue and 100,000 customers following its data breach in 2015 (see current issue of CRJ for article by TalkTalk describing the attack and how the company responded) – other possible impacts are not as clear cut. Indeed, the 2016 UK Government Cyber Health Check and survey of FTSE 350 companies found just 49 per cent of organisations had a clear understanding of the potential impacts on their organisation.

It is time to understand what being prepared for a cyber crisis means. Here are four key lessons to help organisations prepare:

Appoint a cyber czar

Corporate boardrooms are beginning to recognise cyber risk but there is still no clear ‘owner’ of this varied and always complex issue. While many organisations have a chief information officer, chief technology officer or chief information security officer, there is seldom an executive leader with the right level of understanding, accountability or authority to lead a cyber strategy.

A cyber preparedness strategy requires a statement of ownership and defined responsibilities across your organisation. It must bring together the groups involved in a cyber response – from IT to customer services. Furthermore, it requires a clear understanding of its own risk appetite and clear policies to ensure the cyber programme can integrate with other operation and strategic activities.

Knowledge is power

Lack of cyber awareness at all levels of an organisation is a serious risk; it can unravel all the good work done by information security teams. Organisations are often left grasping for facts in the face of experienced – and today often technically adept – journalists with questions they should or could know the answers to, leading to public outrage and disappointment at their inability to provide reassurance.

There is no excuse not to have at your fingertips key facts about your systems, data, encryption, budgets and the other areas you know the media and other stakeholders will want details of.

Each function supporting your organisation’s cyber crisis response should know its role, strengths and vulnerabilities, for example does the legal team understand potential liabilities of a data breach? Can the communication team respond to stakeholder questions? In short, cyber risk awareness is a broad and important area requiring strong support across the organisation.

Prepare to deliver a response

If we accept cyber incidents are inevitable and a critical reputation risk, preparing an effective cyber incident response is vital.

The speed of the response can determine how well the situation will be managed and resolved. A quick response requires pre-prepared tools, processes, procedures, checklists and structures, as well as responders who understand their roles and responsibilities and recognise where they are empowered to act.

While high impact cyber incidents are, in many ways, similar to other crises a senior management team might face, their uncertainty and complexity provoke unique challenges. To prepare, teams can take a number of steps:

• Crisis management frameworks and capability can be reviewed against cyber scenarios and exercises should build your teams understanding and competence in the risk and be conducted at different levels.
• Give technical teams a chance to use their analytical tools, understand how long the various proposed actions might take, practise detailed tracking and log analysis, test information flows and reporting, and ultimately manage a coherent technical response. Workflows should not just be on paper – they need validating in real time to reveal gaps and potential issues.
• Give senior executives the chance to acquaint themselves with cyber risk in ‘peacetime’ and realise how complex a data breach response can be. During cyber exercises we frequently see them develop very different response strategies to other crisis scenarios.
• Scenarios should also explore the links between incident management and crisis management levels – referred to as silver and gold by some, tactical and strategic by others – to test information flow and situational awareness.

Avoid repeating your errors

There is often a tendency following a crisis or near miss to breathe a sigh of relief and rush back to business as usual. It is important to understand why the incident happened in the first place, as well as identify and learn lessons from the incident response to improve for next time.

We frequently observe, however, organisations failing to learn lessons from incidents they – or others – have suffered. Even when an investigation is carried out, the lessons are not always widely shared, let alone learnt.

Conducting a post incident review, identifying what worked well and didn’t, is a sign of a mature organisation keen to learn and develop. Taking the lessons and then generating change is an even greater challenge but does more than repay the effort. Non-executive directors and other board members can provide the much needed leadership and governance to ensure reviews are done, lessons are carried forward, and incidents do not repeat themselves.

Dominic Cockram is Board Director at Regester Larkin. To discuss any of the issues raised in this piece, please contact him here