Cyber Resilence Services
PlanB Consulting has extensive experience of helping organisations feel more prepared for cyber incidents. Read more about our approach below.
“You are going to be hacked: Have a plan,” said Josef Demarest, of the FBI. "You should also test and exercise that plan".
Latest cyber blog: What lessons can we learn from Marriott’s response to their Cyber Breach?
The hack of British Airways, Marriott, Equifax and their responses have again highlighted the need for companies both large and small to be prepared for managing the external response to a hack of their systems. PlanB Consulting offer a wide range of different exercises for organisations to explore and practice their response to a cyber attack. This has included a full SIMEX (Simulated Exercise / Command Post exercise) for a Private Bank to Table Top Exercises for government organisations, emergency services and a number of fintech organisations.
In planning the scenario, we will plan it to be different to the standard business continuity or crisis management scenarios. The exercise will involve strategic response, be challenging and have media interest. The scenario will be credible and tie-in with current real incidents. Our exercise will involve the following:
- Strategic decisions, such as:
- When to tell stakeholders and customers there has been a possible breach. Different countries and USA states have different statutory reporting requirements and so the team will have to take this into account. Understanding the reporting requirments of GDPR key component of the exercise.
- Whether to turn off systems if you suspect they have been compromised.
- Involvement of law enforcement.
- When to engage with the media.
- How to respond to any ransom demands.
- Communications with a wide variety of stakeholders.
- Managing the response to the media.
- Managing stakeholders across a number of time zones if applicable.
- Notification of various bodies governing data protection in countries you have operations in.
- Putting out guidance to stakeholders if personal data has been lost.
- Managing speculation and rumour.
- Managing the interface between those responding technically and those managing the incident and communications.
- Liaison with law enforcement and managing the forensic elements of the breach.
Read our blog post on Ten Lessons from a Cyber Attack Response Exercise
Cyber Briefings for Senior Managers / C Suite
PlanB Consulting have carried out cyber briefings for a number of different organisations ensuring that their senior manager understand the threat, their existing level of resilience and some of the issues they will face during a cyber incident. These have varied from one hour to a half day training session.
A typical agenda could include:
- The cyber incident landscape and and review of recent incidents
- Understding the different types of cyber threats
- Understanding your risk profile - what do you have to lose?
- The role of the crisis management team / gold team / strategic team in managing an incident
- Crisis communications during a cyber incident
- Reporting the incident and GDPR requirments
"The training went well and was well received" - comment after a cyber briefing for the senior management team of a private banking and wealth management organisation.
All sessions are tailored to the needs of the organisation and the particular topics they want to cover.
Example of the type of case studies used in the cyber incident landscape 'What lessons can we learn from Marriott’s response to their Cyber Breach?' and 'Equifax UK - How not to manage the communications of a cyber breach'
Cyber Incident Management and Response Training for Teams
PlanB Consulting carried out its first Cyber Incident Management and Response Training course, in May 2017. The audience was the Business Continuty Coordinators of a Local Authority. Since this occasion, we have carried out a large number of cyber incident management training courses in both the public and private sector. All three courses have been different and bespoke to the clients requirment. PlanB Consulting has also developed a two day public training course 'Managing and Preparing for Cyber Incidents' which is marketed and delivered by sister company Business Continuty Training. Details of their course and the dates of the training is available here.
The course can cover a wide variety of different subjects:
- Cyber Incident landscape and recent case studies
- Understanding the different types of cyber threats including targeted and untargeted attacks
- Preparing for a possibile attack
- Developing an incident response
- Decision making during incidents
- Development of a incident response, including playbooks
- Reporting cyber incidents and GDPR
- Cyber insurance and third party support
- Detecting, containing and responding to an attack
- Managing the response alongside 'techies' - what information they want from you
- Development a crisis communications strategy
- Developing and running cyber exercises.
Recent blog post on the subject: 'What is the difference between a cyber and "normal" incident?'
Responding to Cyber Incidents, Plan Writing and Developing Playbooks
PlanB Consulting can help you develop the following:
- Cyber incident management playbooks for specific cyber incident such as ransomware, data breach or DDOs attack
- Help develop playbooks which can help executive decision making, where decision are needed at short notice such as during a ransomware attack whether to disconnect all external internet connections.
- Response Plans for managing the the executive level response to a cyber incident.
- Crisis Communications Plan including the preparation needed prior to a cyber incident.
- Developing a cyber exposure risk assessment to understand your worst case exposure if all organisation systems are compromised.
PlanB Consulting's Model for Incident Response
The following diagram shows our model for incidnet response. Notice that only one quarter is assigned to the technical response.
The four areas of response are:
The IT Incident Technical Response covers the initial detection of the incident, triage and the first response to the incident. It includes containing the cyber security incident, eradicating the cause of the incident and gathering and preserving evidence. Finally, it covers recovering systems, data and connectivity and returning the system to normal operation.
We believe at PlanB Consulting that the success or failure of an incident response is determined by the attitude of your stakeholders. If they think you did a good job in responding, then you were successful and if they dint your response fails. This is why a key part of responding to a cyber incident is the Reputation and Stakeholder Management. This requires preparation carried out in advance, a robust incident management plan and playbooks for dealing with specific incidents.
With GDPR in Europe there are now designated time at which an organisation must report a cyber breach to the Information Commissioner's Office (ICO) . They no longer have the luxury of being able to do a thorough investigation, identify the data which has been compromised and determine a list of effected stakeholders. The reporting to the ICO is the minimum report requirements and different agencies have different regulatory and statutory reporting. There is also the requirement of reporting the incident to the Police. We believe that you should have a robust plan in place dealing your organisations for dealing with Statutory and Regulatory Reporting, including GDPR, and that the plan should be exercised.
Lastly, existing Business Continuity and Continuity of Operation's plans should also be used during a cyber breach. They should contain useful information on which system to restore first, which part of the organisation needs to be recovered first and how quickly. This can be found by looking at the organisation’s BIA and looking for each activity’s RTO, and their underpinning IT systems. The organisation should also have a manual workaround for an IT and telecoms failure, which can be used if external connections have been disconnected, or if staff have been told not to use their PC or laptops to access the organisation’s systems.
Alongside the response area the origination must have a robust incidnet management structure in place to manage the response to the incident.
Feedback from recent Cyber Resiience training
Stuart Wadley Ports and Harbours - Rated Course: "Excellent" Comment: "Excellent Delivery, engaging and thought provoking"
Denise Bell HR - Rated Course: "Very good" Comment: "Liked the practical, no-nonsense approach"