Cyber Incident Management Training - 10 Lessons Learned

Posted on 11 September

This week Charlie looks at the lessons learned during our first Managing and Preparing for Cyber Incidents course.

Yesterday, I ran Managing and Preparing for Cyber Incidents for the first time and I thought I would share ten lessons that were learned during the training.

1. When you have decisions to make that involve 2-3 different potential outcomes, it might be a good idea to develop a playbook for managing the incident. This will help your incident team choose one of the options available, depending on the circumstances of the incident. See my previous bulletin, What is a playbook and do you need one?, for details as to what should be included in a playbook.

2. You need to get your senior managers to understand your IT, including where it is situated and what the risks, capabilities and level of preparedness for a cyber incident are.

3. In a cyber incident, is the CEO the best person to be the organisation’s spokesperson or is it better to have an alternative spokesperson? With an alternative spokesperson, there is an ability to escalate the communications response to a more senior manager if required.

4. As part of your communications strategy, are you going to decide to portray yourself as the victim or the villain? Are you an innocent victim who has been hacked or was your IT security lax and therefore you are the villain, for not protecting your stakeholder’s data securely?

5. Have you practised your senior management team’s ability to make decisions, with far-reaching consequences and without access to all the facts of the incident?

6. Does your senior management team know the answers to the likely questions the media are going to ask after a cyber incident? Have you got a list of the other questions the media may ask, which the spokesperson needs to be briefed on?

7. Are the members of your incident management team and senior managers aware of the capabilities of the organisation? For example, if you want to isolate your systems from the outside world i.e. “pull the plug”, then how long does this task take and how easily is it carried out?

8. Has your organisation carried out a vulnerable analysis to ascertain the following?

a. What do we have that others might want?

b. What data do we hold?

    i. Intellectual property

    ii. Negotiating positions

    iii. Staff data

    iv. Customer data

    v. Personal information

c. What is the most embarrassing bit of information we hold?

d. Do you have data which can be exploited for financial gain?

e. Ability to transact financial fraud (credit card numbers, bank details, etc.)

f.  Possible impacts on operations (SCADA, integrated supply chain, etc.)

9. Does your organisation have a plan in place with the associated pre-written communications for what to say to staff, if their information held in company systems is compromised? Are you able to provide appropriate help to them if they are a victim of identity theft?

10. How can you demonstrate to customers, regulators and stakeholders you have taken appropriate measures to protect yourself? Consider certifying to ISO 27001 or Cyber Essentials Plus, which are both badges you can use to demonstrate your commitment to information security.