It seems like a straightforward question. What do we do in the event of a cyber incident?
Cyber incidents take many forms. These can range from ransomware attacks, through to social engineering fraud, system failures and targeted hacking campaigns. All of these can have a major impact on an organisation and lead to financial losses and damage to brand and reputation. Being unprepared will make the impact worse.
The steps to become prepared for a cyber incident are enlightening for organisations and I often find that many aspects of a cyber incident plan will already be in place.
Key is ensuring that response stakeholders within an organisation have a clear plan, as simple as a “plan on a page,” that maps out the steps that should be taken.
A productive approach starts with an Incident Readiness Assessment that will immediately bring to light the issues that can arise when an incident happens and what measures the organisation should undertake to be well prepared. This does not have to be a lengthy and complicated process and will provide immediate clarity regarding roles and responsibilities when an incident occurs.
I have spoken with many organisations of different sizes and natures of operations about their incident preparedness, and most often the answer is that the IT team is responsible for management of any cyber incident.
When we consider financial loss and damage to brand and reputation, these impacts affect the entire organisation, As with other major risks they should be broken down and risk mitigation strategies developed and tested. Whilst the IT response to an incident is a critical component of an organisation’s response, there are other key responsibilities of leadership during an incident that need to be determined, clearly articulated and prepared for.
A few examples:
a) If a ransomware attack occurs and users cannot access data, a decision will need to be made as to whether to consider paying the ransom to recover the data or revert to the latest backup which will result in a loss of any changes made since the last backup. Ransomware attacks will cause a business interruption in any case, how severe depends on the existing backup and data recovery strategy and the steps that are taken immediately after an incident. Often 3rd party service providers will be involved. Leaders must make quick decisions regarding which actions to take to minimize business impact. The IT team will be busy establishing the impact of the incident and how to most effectively return the business to normal operations. A decision like paying the ransom (which has been proven to be very unpredictable and risky) and losing a day or several day’s work, rest firmly with senior management. Someone from the leadership team, empowered to make these kinds of decisions, must be available at any time to make the call. (2024 note, the board may need to make the decision to pay a ransom, best clarified with them before an incident!)
b) If an organisation experiences a data breach, the consequences can be extremely serious. Upon realising there has been a breach, The IT team and 3rd party service providers will work together to close down the breach, understand the impact and provide the necessary information about the data lost and those affected to management. Some important decisions will need to be made:
- Should we involve law enforcement?
- Do we have to notify those affected and the OAIC (Privacy Commissioner)
- How should we communicate the incident to employees, customers, the boards and shareholders?
Making the correct decisions in these situations is the only way to minimise the brand and reputation damage, as well as the financial impact, of a cyber incident.
Please contact us to discuss your preparedness for a cyber incident.