Are you prepared for a cyber incident? Are your customers and service providers?

It seems like a straightforward question. What do we do in the event of a cyber incident?

Cyber incidents take many forms. These can range from ransomware attacks, through to social engineering fraud, system failures and targeted hacking campaigns. All of these can have a major impact on an organisation and lead to serious financial losses and damage to brand and reputation. Being unprepared will make the impact worse.

The steps to become prepared for a cyber incident are critical tasks for organisations and I often find that many aspects of a cyber incident plan will already be in place. Often the components of incident response, like IT remediation and an organisation’s crisis communications, need to be tied together into a cohesive strategy. Key is ensuring that the relevant stakeholders within an organisation have a clear plan, as simple as a “plan on a page,” that maps out the steps that should be taken, and also considerations such as service provider response capabilities.

A productive approach starts with an Incident Readiness Assessment that will immediately bring to light the issues that can arise when an incident happens and what measures the organisation should undertake to be well prepared. This does not have to be a lengthy and complicated process and will provide immediate clarity regarding roles and responsibilities when an incident occurs.

I have spoken with many organisations of different sizes and natures of operations about their incident preparedness, and most often the answer is that the IT team is responsible management of any cyber incident.

If we go back to my previous point about financial loss and damage to brand and reputation, these impacts affect the entire organisation, and many organisations consider cyber incidents to be their top risk moving into 2020. As with other major risks they should be clearly addressed, and risk mitigation strategies developed and tested. Whilst the IT response to an incident is a critical component of an organisation’s overall response, there are other key responsibilities of leadership during an incident that need to be determined, clearly articulated and prepared for.

A few examples:

• Ransomware: If a ransomware attack occurs and users cannot access data, a decision will need to be made as to whether to consider paying the ransom to recover the data or revert to the latest backup which will result in a loss of any changes made since the last backup. Ransomware attacks will cause a business interruption in any case, how severe depends on the existing backup and data recovery strategy and the steps that are taken immediately after an incident. Often 3rd party service providers will be involved. Leaders must make quick decisions regarding which actions to take to minimize business impact. The IT team will be busy establishing the impact of the incident and how to most effectively return the business to normal operations. Decisions like paying the ransom (which has been proven to be very unpredictable and risky) and losing a day or several day’s work, rest firmly with senior management. Someone from the leadership team, empowered to make these kinds of decisions, must be available at any time to make the call.

• Data Breach: If an organisation experiences a data breach, the consequences are far-reaching. Upon realising there has been a breach, The IT team and 3rd party service providers will work together to close down the breach, understand the impact and provide the necessary information about the data lost and those affected to management. Some important decisions will need to be made:

o Do we have to notify those affected and the Privacy Commissioner, making the breach and our response public?

o Should we involve law enforcement?

o How should we communicate the incident to employees, customers, the board and shareholders?

Making the correct decisions in these situations is the only way to minimise the brand and reputation damage, as well as the financial impact, of a cyber incident.

The CAP’s Incident Readiness Assessment services will place your organisation firmly on the path to being prepared and start to bring some peace of mind to those that have the tough decisions to make.

Once the Readiness Assessment is completed, and a plan in place with the response team prepared, it is time to run a risk simulation exercise to test the response. Any response plan is only as effective as its last test and these exercises will identify gaps in the plan.

Please contact the Cyber Advisory Practice to discuss your preparedness for a cyber incident.