What Would You Do Following a Cyber Attack?
It’s a busy Wednesday afternoon when the IT manager walks into the CEO’s office with an ashen face. “We think we may have been compromised,” they state. It takes you a few moments to understand what they’re saying. It’s only the look on their face that makes you realise how serious this is.
“We’ve lost access to several key servers. I’m worried that the contagion might spread. I’d like your permission to take all our systems offline immediately.”
Immediately? That feels like an overreaction—think of the business disruption, the loss of income, the reaction of our customers. Surely this problem is manageable and can be contained.
The IT manager’s phone rings. They take the call and a terse conversation follows. “No email, are you sure?” they ask. You look at your own email but your computer’s playing up. It’s unresponsive. Then the screen goes black and is filled with red text. Someone called Ryuk wants you to pay them 220 bitcoins. That doesn’t sound like much. You try googling the answer on your phone but the Wi-Fi’s not working.
Cybercrime’s Rapid Evolution
This scenario is becoming all too familiar to many CEOs. One cyber-insurance provider has told us that they receive 15 notifications a day of ransomware attacks. Many of these companies have invested in cybersecurity measures, yet still they fall victim to a well-planned attack.
Cybercrime and cybersecurity are both rapidly evolving, with neither side in the ascendency for long. This means that no matter how good your cybersecurity defences are, there’s always a chance that a cybercriminal will succeed in breaching them.
Of course, we’ve all been here before. Planning for catastrophic events has been part of corporate life for decades. We put together our first business continuity plan in the 1990s and have been testing and refining it ever since. It’s run-of-the-mill stuff and has helped us keep the company operational despite the occasional severe winter storm, electricity supply failure or busted water pipe.
A successful cyberattack is just another disaster scenario. So, we decided it’s time to move on from focusing solely on technology to prevent this problem occurring, and to start to plan how to deal with the consequences of a cyberattack. Our mindset is no longer “if an attack succeeds” but “when.”
Developing an Effective Cyberattack Response
The first step is test how we would respond to a successful attack. To do this, we turned to emergency response provider Fireside Partners. They help their customers develop tactical emergency response plans to deal with crises and conduct tabletop exercises to work through crisis scenarios. The exercises are used to refine the response plan. They also help develop management’s “muscle memory” of the steps required to manage the issues that arise.
For a cyberattack, these issues are manifold. How would you cope if your systems and data were encrypted in a ransomware attack? How long would it take you to restore systems and data from backup? How would you know if you’ve got rid of the malware? Would you pay a ransom? What are the business ethics and legal considerations of doing so? Can you trust the word of a criminal if you make the payment? What are your regulatory reporting requirements? What and when do you tell your customers? What are the financial consequences of the decisions you make?
Working though these issues as part of a tabletop exercise gave us the time and space to consider each one and explore its depths, which is a luxury we would not have had if this had been a real cyberattack and not a drill.
Leveraging Outside Resources
The answers to some of these questions are complex and we quickly realised we did not have enough knowledge within our organisation to answer them fully. We reached out and sought the advice of external legal counsel and our cyber-insurance provider. Both gave us valuable insight into how cyber incidents play out and how to engage specialist companies to help us during and after the attack.
We have carried out a number of exercises this year, refining and improving our Cyber Incident Response plan with each iteration. Our management muscle memory is improving. We have a clearer idea of how to organise ourselves, what steps to take, and how to find and use external expertise in dealing with a cyber incident.