Cyber Resilience Services
PlanB Consulting has extensive experience in helping organisations feel more prepared for cyber incidents. Read more about our approach below.
Cyber Incident Management and Reputation Audits
You may have spent a lot of time and money in ensuring that your organisation does not suffer from a cyber breach, but we know that no system is 100% secure. As per Brian Honan's quote above “your organisation will be judged on how you respond to any breach rather than whether you have had one in the first place”. Large organisations like Equifax, Marriot and Travelex are good examples of how not to manage a data breach. Many of the mistakes they made in their response could have been avoided by training, preparation and exercising.
To avoid your organisation making the same mistakes, PlanB Consulting can audit your organisation and assess your level of preparation. The audit could review the following:
- Plans, procedures and playbooks
- Crisis communications plans and procedures
- Preprepared statements and collateral
- Dark website preparations and use of domains
- Understanding what you have to lose during a data breach, including what is your critical data (crown jewels)
- Level of cyber knowledge of those who would respond to a cyber incident and what training they have had
- Whether cyber exercising has been carried out
PlanB Consulting can carry out a full audit of your level of preparation and then produce a gap analysis which details the suggested work you should carry out.
To book an audit click here
“You are going to be hacked: Have a plan,” said Josef Demarest, of the FBI. "You should also test and exercise that plan".
Latest cyber blog: What lessons can we learn from Marriott’s response to their Cyber Breach?
The hack of British Airways, Marriott, Equifax and their responses have again highlighted the need for companies both large and small to be prepared for managing the external response to a hack of their systems. PlanB Consulting offers a wide range of different exercises for organisations to explore and practice their response to a cyber attack. This has included a full SIMEX (Simulated Exercise / Command Post exercise) for a Private Bank to Table Top Exercises for government organisations, emergency services and a number of fintech organisations.
In planning the scenario, we will plan it to be different from the standard business continuity or crisis management scenarios. The exercise will involve strategic response, be challenging and have media interest. The scenario will be credible and tie-in with current real incidents. Our exercise will involve the following:
- Strategic decisions, such as:
- When to tell stakeholders and customers there has been a possible breach. Different countries and USA states have different statutory reporting requirements and so the team will have to take this into account. Understanding the reporting requirements of GDPR key component of the exercise.
- Whether to turn off systems if you suspect they have been compromised.
- Involvement of law enforcement.
- When to engage with the media.
- How to respond to any ransom demands.
- Communications with a wide variety of stakeholders.
- Managing the response to the media.
- Managing stakeholders across a number of time zones if applicable.
- Notification of various bodies governing data protection in countries you have operations in.
- Putting out guidance to stakeholders if personal data has been lost.
- Managing speculation and rumour.
- Managing the interface between those responding technically and those managing the incident and communications.
- Liaison with law enforcement and managing the forensic elements of the breach.
Read our blog post on Ten Lessons from a Cyber Attack Response Exercise
Cyber Briefings for Senior Managers / C Suite
PlanB Consulting has carried out cyber briefings for a number of different organisations ensuring that their senior manager understands the threat, their existing level of resilience and some of the issues they will face during a cyber incident. These have varied from one hour to a half-day training session.
A typical agenda could include:
- The cyber incident landscape and review of recent incidents
- Understanding the different types of cyber threats
- Understanding your risk profile - what do you have to lose?
- The role of the crisis management team/gold team / strategic team in managing an incident
- Crisis communications during a cyber incident
- Reporting the incident and GDPR requirements
"The training went well and was well received" - comment after a cyber briefing for the senior management team of a private banking and wealth management organisation.
All sessions are tailored to the needs of the organisation and the particular topics they want to cover.
Example of the type of case studies used in the cyber incident landscape 'What lessons can we learn from Marriott’s response to their Cyber Breach?' and 'Equifax UK - How not to manage the communications of a cyber breach'
Cyber Incident Management and Response Training for Teams
PlanB Consulting carried out its first Cyber Incident Management and Response Training course, in May 2017. The audience was the Business Continuity Coordinators of a Local Authority. Since this occasion, we have carried out a large number of cyber incident management training courses in both the public and private sector. All three courses have been different and bespoke to the client's requirement. PlanB Consulting has also developed a two day public training course 'Managing and Preparing for Cyber Incidents' which is marketed and delivered by sister company Business Continuity Training. Details of their course and the dates of the training are available here.
The course can cover a wide variety of different subjects:
- Cyber Incident landscape and recent case studies
- Understanding the different types of cyber threats including targeted and untargeted attacks
- Preparing for a possible attack
- Developing an incident response
- Decision making during incidents
- Development of incident responses, including playbooks
- Reporting cyber incidents and GDPR
- Cyber insurance and third party support
- Detecting, containing and responding to an attack
- Managing the response alongside 'techies' - what information they want from you
- Development a crisis communications strategy
- Developing and running cyber exercises.
Recent blog post on the subject: 'What is the difference between a cyber and "normal" incident?'
Responding to Cyber Incidents, Plan Writing and Developing Playbooks
PlanB Consulting can help you develop the following:
- Cyber incident management playbooks for specific cyber incidents such as ransomware, data breach or DDOs attack
- Help develop playbooks which can help executive decision making, where decision are needed at short notice such as during a ransomware attack whether to disconnect all external internet connections.
- Response Plans for managing the executive level response to a cyber incident.
- Crisis Communications Plan including the preparation needed prior to a cyber incident.
- Developing a cyber exposure risk assessment to understand your worst-case exposure if all organisation systems are compromised.
PlanB Consulting's Model for Cyber Incident Response
The following diagram shows our model for incident response. Notice that only one quarter is assigned to the technical response.
The four areas of response are:
The IT Incident Technical Response covers the initial detection of the incident, triage and the first response to the incident. It includes containing the cyber security incident, eradicating the cause of the incident and gathering and preserving evidence. Finally, it covers recovering systems, data and connectivity and returning the system to normal operation.
We believe at PlanB Consulting that the success or failure of your incident response is determined by the attitude of your stakeholders. If they think you did a good job in responding, then you were successful and if they dint your response fails. This is why a key part of responding to a cyber incident is the Reputation and Stakeholder Management. This requires preparation carried out in advance, a robust incident management plan and playbooks for dealing with specific incidents.
With GDPR there are now designated time at which an organisation must report a cyber breach to the Information Commissioner's Office (ICO) . They no longer have the luxury of being able to do a thorough investigation, identify the data which has been compromised and determine a list of effected stakeholders. The reporting to the ICO is the minimum report requirements and different agencies have different regulatory and statutory reporting. There is also the requirement of reporting the incident to the Police. We believe that you should have a robust plan in place dealing your organisations for dealing with Statutory and Regulatory Reporting, including GDPR, and that the plan should be exercised.
Lastly, existing Business Continuity and Continuity of Operation's plans should also be used during a cyber breach. They should contain useful information on which system to restore first, which part of the organisation needs to be recovered first and how quickly. This can be found by looking at the organisation’s BIA and looking for each activity’s RTO, and their underpinning IT systems. The organisation should also have a manual workaround for an IT and telecoms failure, which can be used if external connections have been disconnected, or if staff have been told not to use their PC or laptops to access the organisation’s systems.
Alongside the response area, the origination must have a robust incident management structure in place to manage the response to the incident.
Feedback from recent Cyber Resilience training
Stuart Wadley Ports and Harbours - Rated Course: "Excellent" Comment: "Excellent Delivery, engaging and thought provoking"
Denise Bell HR - Rated Course: "Very good" Comment: "Liked the practical, no-nonsense approach"