The cyber threat landscape is evolving rapidly. Hackers are becoming increasingly sophisticated in their methods and have the potential to gain access to your organisation’s systems and networks easily causing significant damage very quickly.
A cyber-attack can have a devastating impact on your organisation and customers and the media are very quick to criticise organisations that respond poorly.
Most organisations fail to equip themselves to respond to the dynamic and pervasive nature of cybercrime. Too often organisations see cyber related incidents as a technical issue to be solved with a technical solution and the IT department will do very little to address the key vulnerabilities that led to the breach.
Each incident is different and each needs to be handled to a rigorously tested plan, but with sufficient skilled management to flex and mould the process to the particular nuances of the incident. Having “go-to” documents when a cyber crisis arises is essential. However without testing and thorough training, these procedures can be ineffective.
People are often the most significant threat to an organisation as some do not appreciate the risks or are careless with security procedures. Many users respond to phishing emails if they perceive that the email was sent from their internal IT department. This can often mean that one carefully crafted email with a company logo will convince staff to offer up their usernames and passwords to fraudsters without question. To combat this, training in basic data handling and security should be available to all staff and regularly updated as part of the planning process.
Every organisation needs to establish a security policy which is straightforward, easily understood and highly visible so that all staff are fully aware of their responsibilities and those of others.
It should be clear what needs to be protected, who should have access, how that is achieved and who is responsible for ensuring the policy is maintained and tested. There needs to be a regular legal review and ethical implications and consequences need to be considered.
Risk assessments can be conducted by an outside professional organisation or by the company itself. If risk assessments are carried out they have to be designed to examine system vulnerabilities and to assess the risk of exploitation and the potential to do harm.
We have conducted a number of risk assessment exercises where test phishing emails have been sent to users asking them to click on a link to visit a web page requesting their username and password. In one test 70% of users clicked and entered their username and password believing they would be included in a fictitious spam testing project. If this was a real hacker which had gained access to 70% of the user accounts, a major incident could have occurred.
When an incident occurs the prepared plan often turns out to be ineffective as it is not operationally deliverable. Testing is essential. Be aware that plans can go out of date quickly.
Incident procedures should be developed so that it is easy to get to the right section for specific incidents. Then the step-by-step, in-depth plan should be clear and easy to follow. For example: “if this happens, contact this person”, “if this happens, do this”, and so on.
When devising an incident plan, consider what communication resources could be unavailable. In the case of a cyber-attack it is likely that your IT department will take down some of your core networks, meaning phone systems, video conferencing and access to particular network files may not be available. It is good practice to have contingency plans referencing secondary forms of communications, outside of the corporate networks just in case these are needed. Your plan should set out who your key points of contact are (internally and externally) their responsibilities (to the crisis response team) and the preferred and backup communication protocols.
Other considerations include:
Dependant on the type of breach, stakeholders, law enforcement, regulators, customers and markets (if publicly listed) need to be notified. You must know what your notification requirements are now and potentially draft pro forma statements that can be utilised in appropriate circumstances.
Preservation of evidence
The focus of the business must be to regain operational stability in order to get back up and running. However it is important to ensure that evidence is not contaminated as it may be required to protect yourself from the hackers in the future. Obtain forensic images, RAM captures and network dumps as part of the process of getting back up and running.
IT Group: IT Group is a leading supplier of IT Consultancy and Expert Witness services, specialising in Disaster Recovery, Data Security, Fraud Investigation and environmental factors (fire and flood).
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.