John Noble CBE is an advisor to Glasswall and non-executive director at NHS Digital, where he is responsible for overseeing cyber security and information assurance. Here, he shares insight and advice on how organizations should react when faced with a cybersecurity crisis.
Like many forms of crisis management, mitigating the impact of a cybersecurity attack and recovering to business as usual is not just about reacting to events - it’s a process that always benefits from effective forward planning and preventative strategies.
Consider ransomware, for example, one of the most common forms of cybercrime with the potential to be hugely disruptive. All too often, organizations find they have no alternative other than to pay the ransomware demand because their data has been encrypted, they have also lost their backup, data has been stolen and there is massive commercial pressure to recover. If the only other option is a prolonged period of downtime while systems are rebuilt, leaders frequently take the path of least resistance and cave in to the demands being made.
Countering the risk of ransomware, however, means organizations should take some key steps in advance so they aren’t put in an impossible position. These include activities such as ensuring software patching is up to date, addressing the serious security shortcomings of untrustworthy legacy infrastructure and making sure staff are trained to identify and report potential phishing emails.
Minimizing the risk of becoming a victim also requires taking additional steps such as protecting privileged accounts, implementing multi-factor authentication and disabling or constraining scripting environments such as remote desktop protocol. These represent a list of minimum requirements for any organization taking the current risks seriously.
Effective preparation also requires detailed forward planning that focuses on addressing a crisis quickly and effectively. Key steps include:
- Implementing offline backup that is genuinely secure.
- And then ideally, practice recovering from backup. For some organizations, this has the potential to be hazardous to existing operations, so the alternative is to conduct a discussion with IT partners and suppliers to ensure there is access to expertise and resources to implement a backup should it be necessary.
- There should also be well-rehearsed incident management and business continuity plans in place to address the consequences of an attack on key operational functions.
- And depending on the nature of each business and its resources, leadership teams are increasingly putting assistance from an incident response company on permanent standby.
What Bad Practice Looks Like
Turning now to dealing with an incident, organisations that struggle to deal with incidents such as a ransomware attack tend to share some common traits. For example, executive teams should not make the mistake of assuming a cybersecurity breach is a technology problem that falls solely on the shoulders of the CISO.
Yes, the CISO has a vital role in tackling the tech problem and helping the organization to recover, but there’s more to it than this. The responsibility for dealing with and mitigating the impact of a serious breach goes right across the whole management team - from legal and reporting and statutory requirements to business operations, customers and just about every function where technology has any role.
Quick and decisive implementation of mitigation and recovery plans (if they exist) is also vital. What can happen, however, is that teams resort to optimism bias, rather than assuming the worst case. The negative impact of this often becomes apparent when in-house staff are soon overwhelmed with the tremendous pressure of dealing with the scale of an attack. This can be the point where companies often turn to external, specialist support and incident response - while this is important, it’s always better to involve experts in advance planning rather than in an emergency.
What Good Practice Looks Like
In contrast, an effective mitigation and recovery process always begins by ensuring someone is clearly in charge and armed with the authority of the CEO to make decisions across the organization.
There should be an incident response structure in place that has buy-in from senior management. These decision-makers might not be technical experts, so should be provided with all the key information they need in an understandable format. This shouldn’t be seen as ‘dumbing down’, but rather is a process to ensure they are given insight and detail in a way they can use to make effective, fully informed decisions.
Best practice must be supported by clear and effective internal and external communication, based on a core script that is updated as new information becomes available. Each piece of communication needs to be geared to the recipient but the underlying message must be consistent, including a plan for stakeholder management.
Decisions about whether to seek specialist, external help should be made early on in the process, especially before in-house teams become exhausted by the effort required to address the crisis. Organizations often assume these services will be prohibitively expensive, but in reality, business costs can be significantly higher than the bill from a specialist advisor. The need for external support in advance of an attack should have been identified and commercial arrangements put in place well before any incident.
Preparing for something that might never happen can seem like an unnecessary overhead, compared to the range of daily priorities every organization encounters. However, faced with a crippling ransomware attack, those dealing with it will almost always talk about how much pressure it puts them under, and teams that have prepared in advance are, without exception, always very glad they did.