Cyber Incident Management - Looking Through the Wrong End of the Telescope
This week Charlie discusses why it is important for senior managers to be involved in cyber incident management.
This week, I thought we might give Brexit a break, I think we all need one! I have been wanting to write this bulletin for a while, and I have now finally got the time to do it. It also nicely ties in with my preparation and update of our ‘Managing and Preparing for Cyber Incidents’ course, which takes place on the 4th-5th March 2019, in London. So, this week I am going to argue that cyber incident management is too important to be left to ‘techies’ to manage, and the senior managers of the organisation need to have plans, be trained and have exercised the response to a cyber incident. In the end, it is in their best interest, as it is usually the CEO and CIO who get sacked after a major cyber breach, not the IT manager.
Whilst researching this bulletin, I have been reading as many incident management guides as I could get hold of. They have ranged from NCSC guidance on their website, to SANS Institute, ISACA, NIST, CREST and ENISA guides, and commercial guides from Databarracks and Rapid7. The last two references are courtesy of Mike Osborne and Gerry Grant, who replied to my request for information on cyber incident management guides on LinkedIn. I was looking for their guidance on the nontechnical aspects of the recovery, all of them contained useful information but many were quite old and were written pre-2010.
My argument is that we are looking at cyber response from the wrong direction, and we should be looking at the person or organisation who is affected most by the cyber breach. The effect of a cyber incident is ultimately that the customer can’t use our services. This could be that a website is down, or like what happened to Kwik Fit this week, where they had to turn customers away and cancel their appointments due to a ‘virus’ in the ‘IT network’. Ransomware attacks, like WannaCry, caused 1000’s of operations to be cancelled in the NHS and NotPetya, had a massive effect on the operations of DLA Piper and Maersk. Where data has been stolen or fraud has been carried out, such as the recent British Airways credit card fraud, or the Marriott data loss, the reputation of the company has been greatly dented and it has cost them large sums of money in compensation and customer reassurance. So, if we look at cyber incident management, of course there is a technical element in putting systems back on line, getting the attacker out of the system and restoring data, but there are three other elements which are mentioned briefly in some guides, and not at all in others. For me, these elements address how to manage the effect of the breach on the customer and should be given the same weight as the technical response.
The three elements in addition to ‘IT Incident Technical Response’ are:
1. Reputation and stakeholder management
2. Statutory reporting, including GDPR
3. Business recovery and continuity of operations
If we carry out reputation and stakeholder management, we can limit the impact of the cyber incident. If we are open and honest with our customers and stakeholders, keep them up to date and make all efforts to mitigate the impact on them, such as signing them up to a personal finance monitoring service like Experian, you can begin to rebuild customer trust and they may not switch to your competitors. Failure to inform your customers in a timely fashion, like Equifax who took 41 days to admit their breach, trying to cover up or paying the hackers to keep quiet like Uber did, portraying yourselves as a victim or a botched response, all add to the impact of the incident and further impact the organisation’s reputation and its ability to retain customers.
As part of the preparation for a cyber incident, organisations should have a communications plan of how they are going to inform all of the groups who could possibly be affected. This must be planned for an event where the organisation’s systems are down or cannot be accessed due to ransomware. This also has to be in fine detail, even the communication's email address needs to be thought through. Marriott was severely criticised for using an email address to send its breach notification (@email-marriott.com), whilst legitimate, it does not appear to be very trustworthy. The domain itself doesn’t load or have an identifying HTTPS certificate, and it doesn’t even belong to Marriott, it was owned by a third party on behalf of the hotel. Errors like this would not have occurred if they had a thought out cyber breach communications plan.
GDPR is clear on the statutory reporting of a cyber breach and it has to be within 72 hours. It is not sufficient just to tell the Information Commissioner that you have had a breach, as they will want to know what has happened, when and how you found out about the breach, the people that have been or may be affected and what you are doing as a result. The reporting of a breach should be left to technical people, but should be reviewed and signed off by senior managers. There may be, depending on the type of organisation, a number of other statutory or regulatory notifications. When we carried out a cyber exercise for a Scottish Government Agency earlier in the week, one of their first people to notify was the Scottish Government, so different organisations should have a list of the people they need to notify and have them in priority order.
Lastly, existing business recovery and continuity of operation plans should also be used during a cyber breach. They should contain useful information on which system to restore first, which part of the organisation needs to be recovered first and how quickly. This can be found by looking at the organisation’s BIA and looking for each activity’s RTO, and their underpinning IT systems. The organisation should also have a manual workaround for an IT and telecoms failure, which can be used if external connections have been disconnected, or if staff have been told not to use their PC or laptops to access the organisation’s systems. The incident management framework developed for business continuity incidents can be adopted to deal with cyber incidents, with a few tweaks. You need to make sure that there are not two parallel incident management systems in the organisation, one to manage business continuity incidents and the other to manage a cyber breach.
Some of the cyber incident management documents I read have taken the three missing recovery actions into account, although they are afterthoughts rather than having the same weight as the technical recovery. In the CREST's ‘Cyber Incident Response Guide’, which I personally think is one of the best guides, it states as part of the ‘follow up’ actions; “Once a cyber security incident has been successfully handled, formal reporting will often be required to both internal and external stakeholders”. This is plainly wrong, incidents can take weeks to resolve and we need to inform our stakeholders a lot sooner. I think many organisations still see cyber as an IT issue and that it is IT’s job to ‘Prepare, Respond and Follow up’ and tell the senior managers when the problem is resolved.
If you are unsure what preparation you should be making, there are still places available on our Managing and Preparing for Cyber Incidents course! The themes within this bulletin are also available as a Responding to Cyber Incidents Briefing, which can be given to senior managers, so they are aware of their role and what is expected of them in a cyber incident.