PlanB Consulting

Cyber Incident Management Training – 10 Lessons Learned

This week Charlie looks at the lessons learned during our first Managing and Preparing for Cyber Incidents course.

Yesterday, I ran Managing and Preparing for Cyber Incidents for the first time and I thought I would share ten lessons that were learned during the training.

1. When you have decisions to make that involve 2-3 different potential outcomes, it might be a good idea to develop a playbook for managing the incident. This will help your incident team choose one of the options available, depending on the circumstances of the incident. See my previous bulletin, What is a playbook and do you need one?, for details as to what should be included in a playbook.

2. You need to get your senior managers to understand your IT, including where it is situated and what the risks, capabilities and level of preparedness for a cyber incident are.

3. In a cyber incident, is the CEO the best person to be the organisation’s spokesperson or is it better to have an alternative spokesperson? With an alternative spokesperson, there is an ability to escalate the communications response to a more senior manager if required.

4. As part of your communications strategy, are you going to decide to portray yourself as the victim or the villain? Are you an innocent victim who has been hacked or was your IT security lax and therefore you are the villain, for not protecting your stakeholder’s data securely?

5. Have you practised your senior management team’s ability to make decisions, with far-reaching consequences and without access to all the facts of the incident?

6. Does your senior management team know the answers to the likely questions the media are going to ask after a cyber incident? Have you got a list of the other questions the media may ask, which the spokesperson needs to be briefed on?

7. Are the members of your incident management team and senior managers aware of the capabilities of the organisation? For example, if you want to isolate your systems from the outside world i.e. “pull the plug”, then how long does this task take and how easily is it carried out?

8. Has your organisation carried out a vulnerable analysis to ascertain the following?

a. What do we have that others might want?

b. What data do we hold?

    i. Intellectual property

    ii. Negotiating positions

    iii. Staff data

    iv. Customer data

    v. Personal information

c. What is the most embarrassing bit of information we hold?

d. Do you have data which can be exploited for financial gain?

e. Ability to transact financial fraud (credit card numbers, bank details, etc.)

f.  Possible impacts on operations (SCADA, integrated supply chain, etc.)

9. Does your organisation have a plan in place with the associated pre-written communications for what to say to staff, if their information held in company systems is compromised? Are you able to provide appropriate help to them if they are a victim of identity theft?

10. How can you demonstrate to customers, regulators and stakeholders you have taken appropriate measures to protect yourself? Consider certifying to ISO 27001 or Cyber Essentials Plus, which are both badges you can use to demonstrate your commitment to information security.

About Charlie Maclean-Bristol

Charlie Maclean-Bristol is one of the Founders and Directors of PlanB Consulting. He is also the Training Director of Business Continuity Training Ltd., a UK-based training provider accredited by the Business Continuity Institute. Charlie is a former Business Continuity Institute board member and one of the very few Fellows of both the Emergency Planning Society and the Business Continuity Institute.

A former Infantry Captain in the British Army, Charlie held several emergency planning, business continuity and crisis management positions within the energy and utility industry before founding PlanB Consulting in 2007. Over the past twelve years, Charlie has delivered business continuity consultancy in 6 of the worlds 7 continents, frequently providing full business continuity roll-outs to organisations of all sizes and in all sectors.

Scroll to Top