Cyber attacks continue to rise across the board and companies of all sizes risk falling victim to a cyber attack and being hit by its damaging consequences – from disrupted business operations and compromised sensitive data to financial losses, reputational damage, and even legal and regulatory liabilities.
Having rigorous controls in place to protect against cyber attacks in the first place is critical. However, it’s also important to adopt a mindset that anticipates breaches occurring in your organization. This pragmatic stance encourages affirmative action in preparation for the fallout from a cyber attack: hope for the best, but plan for the worst.
Alongside this approach, businesses’ first priority after an attack is understandably to return to usual operations as rapidly as possible to limit long-term financial or reputational impact. But in some cases, this can result in a rushed recovery – with the root cause of the attack not being sufficiently analysed, or the evidence required to build a forensic case of what happened being inadvertently destroyed.
Plan, plan, plan ahead
If an attack occurs, it’s crucial to have cyber incident response and disaster recovery plans in place to respond and mitigate damage effectively. These plans form a crucial part of wider operational resilience strategies. Depending on the type of the attack, the appropriate response can then be called on to alleviate impact and help return the business back to normal operations.
Cyber attacks leverage multiple different attack vectors and bad actors rely on a toolset of different methods and approaches to breach networks. With so many different potential attack scenarios, it is vital to ensure that planning is sufficiently customised and rehearsed to cover multiple eventualities. The more accurate simulation exercises are, the greater value they present in educating onward development and refinement of cyber security response planning.
Don’t forget the washup
Once you’ve followed the steps outlined in cyber incident response plans, conducting a thorough analysis of lessons learned is vital. This is a step that businesses often miss in their desire to get back up and running – but it is just as important as any other. The learnings that arise from a cyber attack are crucial and can go a long way in educating future response actions.
A thorough ‘washup’ involves understanding the effectiveness of your organization’s cyber incident response plan, with multiple steps to be considered. For instance, performing a review of the detail and timeline of the cyber incident and asking how effectively the cyber incident response procedures were maintained during the incident, is crucial.
Businesses should also consider the actions or decisions that negatively impacted the effectiveness of the recovery and suggest new approaches to dealing with a similar future cyber incident.
Next, investment in toolsets or training required to improve future detection, mitigation, recovery, or remediation must be evaluated. Organizations should also assess the effectiveness of any third party organizations in fulfilling their cyber incident recovery responsibilities.
The key takeaway of this process is to evaluate the ‘real-world’ effectiveness of the cyber incident response plan in dealing with an attack. In theory, a plan may look like it has all the bases covered – but it may be found lacking in a trial by fire. These key learnings can go a long way to correcting gaps in the response capability of a business.
Walk the walk, talk the talk
Effective managed communication is vital at all stages of the incident response process. Protocols should be in place to manage messaging to ensure its accuracy, scheduling, and scope. Roles and responsibilities around who is authorised to communicate incident information and to what extent must be in-place to effectively control the flow of information.
Both the clarity and timing of messaging are essential – the cyber incident response team may be aware that the attack is now over, but has this been communicated to the rest of the business and customers? It’s important to remember that just because the attack is over, it doesn’t mean the impact on reputational damage has been completely nullified.
Another pitfall in rushing a recovery is declaring an early victory before fully validating that position. It looks bad if a business communicates that systems have been secured if in fact that’s not the case. This can dent organizational credibility further should there be a subsequent security incident due to a lack of due diligence in safely restoring services. Instead, measure twice and cut once when it comes to sounding the all clear.
Bounce back stronger
Becoming educated on cyber incident response is fundamental for remaining vigilant in the face of threats. Working with an expert external partner can ensure that immediate steps are put into place to reduce the impact and help get business back to normal. Don’t be afraid to engage cyber security specialist assistance early in the response lifecycle if required. It might be that your organization’s cyber resilience capability is in a fledgling state or potentially still on the ‘to do’ list.
External security partners can bring seasoned cyber incident response experts into play, bringing with them the skillsets and toolsets required to navigate what can be a stressful time for any organization. They can also help bring that much needed structure to a complex incident recovery scenario. So, if a cyber incident does hit your business, you can rest assured you have the best chance of bouncing back better than ever.
Paul McLatchie is Security Strategy Consultant at Daisy