Cyber preparedness lessons from the trenches

The following piece comes from a discussion with a senior security practitioner at a large global brand hit by a major cyberattack. As media, regulators and commentators scrutinized every move, its cyber crisis response played out in real time in front of a global audience. The interviewee agreed to share their story in the hope it would help shape other companies’ responses to such situations.

It was the tail end of a typical week for the cybersecurity team. People broke the humdrum of staring at a desktop with sugar and caffeine hits, documents documented, emails emailed and pop-ups popped-up. Stability. Except it wasn’t.

The sense of corporate contentedness was at odds with the facts. Somewhere, a butterfly was already flapping its wings as front-line cybersecurity teams uncovered a piece of malicious code somewhere it definitely shouldn’t have been. A storm was building on the horizon.

Our senior security leader noticed a subtle change in the vibe of the office: “Certain people were not at their desks or were unusually busy. Some people definitely had funny looks on their faces.

“Then, we were taken into an office where the situation was laid out for us. We were told there had been a breach.

“My gut response was similar to when you are told there has been a death in the family. When you’ve been in the industry for a while, you see a lot of talks from people who have been hit. You know it’s coming, but when it does it’s still a shock. You can’t really prepare yourself.” 

A flurry of activity turned the normally quiet office upside down. Luckily, the company had been planning its crisis response: “The processes themselves were well drilled, so our initial response was effective.”

The company was tightly regulated, so both table-top and near real-life simulation exercises were held regularly. These initially took place annually, then quarterly; the goal was to make them monthly events. At first the exercises used generic situations, but these later developed into real-world scenarios using contemporary threats.

“I always view cyberattack planning as a ‘business as usual’ endeavor which should be scheduled as a non-negotiable commitment. We would run these across a range of departments to make sure everyone understood what to do when the inevitable happened. This involved those you might expect but also senior managers from the customer call centers, regulatory compliance, employee relations, and communications teams. We would also extend it to consultants where necessary.”

For the team on the ground, the breach played out in a series of seemingly distinct phases. First came analysis and emergency triage; this phase was about understanding the details of the incident and how serious it was, with IT, cyber, and compliance teams providing early input. This is where the ‘muscle memory’ from cyber crisis training was important. Based on this, the next step was to make relevant teams aware, which meant informing legal, customer and employee relations, and data protection.

After this, the incident response plan began in earnest: “We had to take technical actions to secure the breach, then escalate information to senior management and regulatory bodies.” 

Unsurprisingly, however, it didn’t all go to plan. There’s an old adage that no plan survives first contact, which was never truer than at this moment, when the business had unexpected human factors to contend with: “We noticed that as the information travelled up the chain of command, strategic decisions made at a senior level were done so behind more closed doors than would be ideal. 

“I think, to some extent, human instinct kicked in and there was a desire to ‘keep things tight’, which was at odds with the transparent decision-making we had practiced. 

“That isn’t to say that the incident plan wasn’t executed, but it was interesting to see how quickly it was pulled out of shape as events overtook it.  Once the incident was confirmed, escalation was remarkably quick and from that point on more decision-makers got involved.”

This didn’t stop the company’s regulatory imperative being a priority though. “We had a set of written plans which showed clear lines of authority. These were split out for different types of incidents with dedicated escalation paths, dictating disclosure to the regulator where necessary.”

Over time, the company’s breach response was laid bare for all to see.  As the situation wound its way through the news agenda, the company adapted and eventually overcame a series of obstacles. 

“It was surreal watching it play out in the news; however, it did make me appreciate the value of all the training we had done in advance.”

Despite it being a stressful time, reflecting on the breach has reinforced some valuable lessons for our senior security leader: “Anyone who has suffered a breach, experienced a close shave, or had part of their supply chain attacked will instinctively do more crisis planning. I am convinced that the amount of time spent planning, preparing, communicating, rehearsing and exercising has a direct bearing on an organization’s ability to survive, overcome and eventually benefit from a cyberattack. It’s as simple as that.

“It made me better appreciate the value of learning.  Doing ‘wash-ups’ at the end of every training session, where people share and discuss their learnings, are now non-negotiable. Do not let this slip because you have to answer an email or disappear into another meeting.

“If little time is spent planning, the consequences of a cyberattack on an organization can be severe and potentially long-lasting. The general public remember organizations that have suffered a data breach and how the crisis was dealt with. An organization which deals with a crisis in a professional and well-rehearsed manner is more likely to be viewed in a positive light in the long term.”  

To find out more about Immersive Labs' Cyber Crisis Simulator and how it can improve cyber preparedness, book a demo via the link below or read more here.

TOPICS
Blog
Cyber Crisis Sim
Exercising
PUBLISHED

30 July 2020

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal