Cyberattacks are common in the public sector, accounting for around 40% of all UK incidents1. Aon’s Andy Catley, director of cybersecurity (investigations & response) and Ruth Murray, client director, public sector Scotland, explain what happens following an attack or data breach and why a cyber response service is a must.
Receiving a ransom demand for a five-figure sum to get your network and data restored can be extremely distressing. But, being prepared and acting quickly will help to take the drama out of a cyber incident.
Although that ransom note and any shutdown or encryption of your systems is likely to be the first the organisation knows of a cyberattack, it’s often the very last act.
Cybercriminals are likely to have been in your system for months: the average time on a victim network is more than 200 days2. During this time, as well as exfiltrating any data, they will have assessed the damage they can cause and how much they can demand in ransom.
Act fast
Speed is essential if your organisation suffers a cyberattack or data breach. The first 24 hours after a cyber security incident are critical so the second you realise something isn’t right, whether that’s a ransom note or something suspicious on your networks, it’s time to turn to the experts.
A cyber response team will be able to support you during this time, working independently or alongside any internal expertise. Cyber security incidents are multifaceted, requiring a variety of different skills to contain and remediate the damage caused and help an organisation build cyber resilience to reduce the risk of another incident.
Cyber incident response
Once an incident happens, the most pressing matter is to understand its nature and how it affects the organisation. To gain this insight, the response team’s digital forensics experts will analyse the organisation’s networks to understand where the cyber threat actors have been and what data they have accessed.
Alongside this, they will also undertake cyber threat hunting to determine whether the threat actors are still in the network. This provides confidence that the organisation is no longer actively compromised, which is essential before any remedial work can begin.
At this initial stage, they may also recommend engaging a law firm to act as breach coach and deal with all the legal aspects of a cyberattack. This might include advising on data privacy laws and dealing with the regulators.
Ransom action
The question of whether to pay the ransom will also arise. There are no hard and fast rules on this unless the demand comes from an entity on a sanctions list such as those issued by the UK FCDO or the US OFAC, where it is illegal to pay them. Often the decision is a business one, based on the nature of the data exfiltrated or how much the cyber incident is affecting the organisation’s operations.
Where they can, a cyber response team will engage with the threat actor. This dialogue may be to negotiate the ransom but they may also ask for proof of life in the shape of a subset of the data that has been taken.
This activity benefits the organisation. As well as winning them time, it enables a more detailed understanding of what’s happened to be gained. This insight could inform the decision on whether to pay the ransom.
Recovery time
A cyber response service will also guide an organisation through any remediation and recovery action that is required. This could involve restoring data, cleaning systems, and rebuilding a network within a sandbox environment to ensure it isn’t infected.
At this stage, the cyber response team will also recommend the steps the organisation should take to prevent a repeat of the security incident. This might include recommendations on longer-term network and system repairs to strengthen the organisation against future attacks.
Given the detailed nature of the response required, it will usually take at least a couple of weeks, but typically four to six weeks, to get from that initial call to this point.
Be prepared
Whether or not your organisation has already experienced a cyber security incident, one of the key recommendations is to have an incident response plan. This details the actions the organisation needs to take if it suffers a data breach or cyberattack, helping to improve resilience and enabling a faster and more efficient response.
It’s also prudent to consider having a cyber response service on a retainer. It is possible to engage a service after the event occurs but, by having them on a retainer, you will benefit from this existing relationship. For example, at Aon, our cyber response team will get to know your systems during the onboarding process, enabling them to make recommendations for improvements but also saving time if you do experience a cyber security incident.
Cyberattacks and data breaches are a real risk for public sector organisations, topping Aon’s Global Risk Management Survey. Being prepared and understanding how a cyber response service can support your organisation will help to reduce this risk.
More information
To find out more about the cyber services Aon offers, speak to your Aon account manager or contact Andy Catley ([email protected]) or Ruth Murray ([email protected]).
1Deputy Prime Minister speech on cyber operations - GOV.UK (www.gov.uk)
2Data Breach Action Guide | IBM
About Aon
Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries and sovereignties with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 29/02/2024.
Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
FP.NAT.1415.SECc