Responding to a cyber-attack and fostering cyber resilience within your organisation

27 July 2017


At the recent InfoSecurity Europe conference held at Olympia, London, we were asked to facilitate a live incident response scenario to a cyber-attack. We asked leading subject matter experts to join us on stage and play the roles of senior management who are most likely to be involved in handling an organisation’s response to an attack. What followed was a refreshing reminder of how quickly incidents can escalate, as well as some uncomfortable home truths. Below are some reflections on best practice in handling an incident and key learnings that came from the session.

Data breach or extortion? Engage external help

If someone stole your car, you’d call the police, wouldn’t you? Your customers would expect you to do the same if someone stole their data from you. For the right number to dial (please not 999) look at the action fraud website, which is the portal for reporting cybercrime and engaging law enforcement support. Even better, have it as an assigned action in a response plan or playbook. It will be down to your business to do the forensic analysis (possibly more external help may be required here) but law enforcement will help you look at who might be behind the incident, including the insider threats. There’s a lot they can bring to your decision-making process based on their experience, and they’re trusted with confidential information. It’s your business, systems and customer base and they absolutely respect that. Speak to them early so they’re not playing catch-up later.

Strong crisis leadership is critical

In the early hours and days of a cyber crisis, real leadership is critical. You’re firmly in the grey void of information deficit with big decisions to make, and you might well be receiving conflicting advice from your crisis management team. It might be public knowledge before you’ve even begun to get your arms around what’s happened. Do you communicate with customers? Which ones? Saying what? What about the media? How much do you give the regulator? Do you keep the service online or pull it in case of compromise?

Prepare for this.  Really, it’s reckless not to, and it’s absolutely expected of an organisation now. When the world is watching, the media are scrutinising, and every statement and action shapes brand perception, having an intelligent, exercised cyber playbook and communications plan is a must. Keep endurance leadership front of mind. If you go hell for leather for 24 hours and beyond you’ll start to trip up, make bad decisions or treat people unfairly. The more work you’ve done in advance to prepare for this scenario, the more efficiently and calmly you will be able to deal with it. Don’t forget that business-as-usual still applies, too.

Sorry for the inconvenience, not the event

Public perception has evolved, along with the scale and complexity of cyber-attacks. Previously there might have been some sympathy – ‘oh what a terrible thing to have happened’. That perception then shifted to anger – ‘why is this still a problem?’ Today it’s annoyance – ‘just my luck to choose the service provider wrapped up in the latest breach’, at a time when competition is fierce and increasing.

Customers want reassurance that you’re doing everything you can to get things back to normal and work through this problem. They want to hear that you’re sorry for their inconvenience. They want practical advice on what they need to do. Social media activity is a popular outlet through which people may want to vent. Identify the big influencers on social media and engage with them. Understand the inconveniences to your customers, reassure them, let them know the extent of the action that you’re taking and keep your messaging consistent with what you’re telling the regulator and business partners. Businesses need to put customer trust at the centre of their decision-making and work outwards from there.

Do you have a plan in place? And what would be the first three items on your agenda in the event of an attack? To find out more or to speak to someone about your cyber security plan please contact Paul Robertson.

Hamish Cameron | Enterprise Resilience Specialist


More articles by Hamish Cameron