What Would You Do Following a Cyber Attack?

Posted on September 22, 2021

It’s a busy Wednesday afternoon when the IT manager walks into the CEO’s office with an ashen face. “We think we may have been compromised,” they state. It takes you a few moments to understand what they’re saying. It’s only the look on their face that makes you realise how serious this is.

“We’ve lost access to several key servers. I’m worried that the contagion might spread. I’d like your permission to take all our systems offline immediately.”

network security

Immediately? That feels like an overreaction—think of the business disruption, the loss of income, the reaction of our customers. Surely this problem is manageable and can be contained.

The IT manager’s phone rings. They take the call and a terse conversation follows. “No email, are you sure?” they ask. You look at your own email but your computer’s playing up. It’s unresponsive. Then the screen goes black and is filled with red text. Someone called Ryuk wants you to pay them 220 bitcoins. That doesn’t sound like much. You try googling the answer on your phone but the Wi-Fi’s not working.

Cybercrime’s Rapid Evolution

This scenario is becoming all too familiar to many CEOs. One cyber-insurance provider has told us that they receive 15 notifications a day of ransomware attacks. Many of these companies have invested in cybersecurity measures, yet still they fall victim to a well-planned attack.

Cybercrime and cybersecurity are both rapidly evolving, with neither side in the ascendency for long. This means that no matter how good your cybersecurity defences are, there’s always a chance that a cybercriminal will succeed in breaching them.

Of course, we’ve all been here before. Planning for catastrophic events has been part of corporate life for decades. We put together our first business continuity plan in the 1990s and have been testing and refining it ever since. It’s run-of-the-mill stuff and has helped us keep the company operational despite the occasional severe winter storm, electricity supply failure or busted water pipe.

A successful cyberattack is just another disaster scenario. So, we decided it’s time to move on from focusing solely on technology to prevent this problem occurring, and to start to plan how to deal with the consequences of a cyberattack. Our mindset is no longer “if an attack succeeds” but “when.”

Developing an Effective Cyberattack Response

The first step is test how we would respond to a successful attack. To do this, we turned to emergency response provider Fireside Partners. They help their customers develop tactical emergency response plans to deal with crises and conduct tabletop exercises to work through crisis scenarios. The exercises are used to refine the response plan. They also help develop management’s “muscle memory” of the steps required to manage the issues that arise.

For a cyberattack, these issues are manifold. How would you cope if your systems and data were encrypted in a ransomware attack? How long would it take you to restore systems and data from backup? How would you know if you’ve got rid of the malware? Would you pay a ransom? What are the business ethics and legal considerations of doing so? Can you trust the word of a criminal if you make the payment? What are your regulatory reporting requirements? What and when do you tell your customers? What are the financial consequences of the decisions you make?

Working though these issues as part of a tabletop exercise gave us the time and space to consider each one and explore its depths, which is a luxury we would not have had if this had been a real cyberattack and not a drill.

Leveraging Outside Resources

The answers to some of these questions are complex and we quickly realised we did not have enough knowledge within our organisation to answer them fully. We reached out and sought the advice of external legal counsel and our cyber-insurance provider. Both gave us valuable insight into how cyber incidents play out and how to engage specialist companies to help us during and after the attack.

We have carried out a number of exercises this year, refining and improving our Cyber Incident Response plan with each iteration. Our management muscle memory is improving. We have a clearer idea of how to organise ourselves, what steps to take, and how to find and use external expertise in dealing with a cyber incident.

Related Posts

aircraft pilot

Partnering to Protect You: Special Programs for U.S. Policyholders

From participation in safety programs to encouraging interest in aviation and educating the next generation of industry professionals, the sharing of knowledge is essential to everyone involved in aviation. For that reason, Global Aerospace has developed or supports several programs designed to advance the industry and also make it easier to obtain aviation insurance.

Posted on August 25, 2021
drone flying in the sky at sunset

UAS Regulation Changes: Progress at a Gradual Pace

2021 has seen two of the biggest advancements in drone regulations in the US since June 2016, when 14 CFR Part 107 was introduced. While the Federal Aviation Administration (FAA) has issued numerous waivers for flights that go beyond the scope of Part 107, as it is colloquially referred to, there have been no widespread changes to the rules for almost 5 years, despite pressure from those seeking to maximize the opportunity of drone technology.

Posted on July 20, 2021