Are you really ready for a critical incident?

Where to start

As a starting point, data management, or knowing what data you store on your system, and where it is stored is extremely important to helping you quickly understand the scope of a breach and understand what has potentially been compromised. Then you can react appropriately without needing to waste time that could be spent trying to contain a breach.

This can be difficult, as things often leakages occur through things like the use of file servers to back up personal data, or other unknown data which can be achieved through staff education or by not allowing use of generic data stores. This type of attack, and unknown data on your system can be extremely difficult to learn about as a cyber team. In this case, the old adage of prevention being better than the cure is your best defence. Educate your staff on what they can store on your company infrastructure, and monitor and share drives or generic file servers.

Processes, Roles and Responsibilities

Other key lessons learned include that company business continuity or crisis management processes are rarely fit for purpose during a cyber crisis. Manuals which have been written can be irrelevant to what is actually occurring during an incident or be so detailed that they are so big that an excessive amount of time is taken wading through to find relevant processes to follow.

The time taken to make decisions, and the approval processes for key changes and decisions can lead to data breaches of a much wider scale than they would otherwise have been. Large organisations may require executive level approval to take a website, or other externally facing applications or hardware offline. If you have an event which is getting out of control, sometimes hours can be wasted trying to get approval from executives who may be overseas, or unavailable. Giving staff members clear responsibilities and authority to make decisions affecting certain scopes will make handling the event much easier for those on the ground and will allow decisions to be made quickly and likely reduce the severity of event. 

Examples were told of companies where authority needed to be granted by executives who were on overseas during the holiday period, costing hours in delays, where hackers remained in the system, and lead to a much larger incident than it could otherwise have been. Other examples were of staff who did not want to interrupt or annoy executives in the middle of the night, which, again cost vital time, giving the hacker more time to carry out the attack and affect more data than the otherwise would have had.

Conclusion

Really, the key part of crisis management is data management, and ensuring that personnel have roles, responsibilities and authorities clearly defined and understood. This can be done by ensuring that everyone is completely aware of how much responsibility they have and where the limits to their authority are. For example, a retailer knowing who has the authority to make decisions to take the website offline, which would inevitably cost money in lost revenue. 

Check out our other learnings from CyberCon

• Post 1: A certificate doesn't guarantee security.
• Post 2: Insider the mind of a hacker.
• Post 3: Are you ready for a critical incident?
• Post 4: Cyber security of the future.