No organisation can ever be truly ready for a cyber-attack, but preparation for the immediate aftermath can make a big difference to the long-term outcome.
In the event of a cyber-attack, a coherent response strategy can mean the difference between an organisation holding its nerve or going into complete meltdown.
“Unprepared organisations usually don’t even know how to communicate that an attack has occurred, and do not respond effectively on the day they learn of an attack,” says Spencer Lynch, Managing Director Cyber Security, Cyber Solutions EMEA at Aon. “They are completely in the dark, with no supplies. Prepared organisations, on the other hand, can immediately kickstart an effective response plan; they’ve packed their emergency kits, and they know how to use them.”
A view from the inside
In 2017, DLA Piper was one of the many businesses that fell victim to the NotPetya ransomware attack. Andrew Darwin, the firm’s global co-chairman and senior partner, describes his experience leading the organisation through the crisis response.
“When a cyber-attack hits, you're potentially faced with an existential crisis that you've never faced before. You cannot underestimate the human response to such an incident, a situation that changes constantly requires a great degree of flexibility in your crisis-response plans. The board and executive committee are on such high alert, that it’s difficult to stay within a rigid structure.”
In the dark
“Despite having reasonably well-developed incident response and crisis management plans, the threat we faced was at times overwhelming. For a short period, we had no email, no telephony, no finance systems, no HR systems. We were literally relying on mobile phones, but with no mobile email.”
“We did of course run many simulations before the incident and I would recommend that every organisation does so. But it's important to understand that human reaction will inevitably be very different in those circumstances, and an organisation needs to allow for that the best they can."
“One thing we learned is that you need cyber response advisors who actually live with you on an ongoing basis – not just on the day of the crisis and, even better, who get to know your business and leadership prior to an incident. These advisors can give your response a rhythm and a structure, which is very hard to do when you are in a crisis situation. They also provide independence, which is important for your stakeholders and a source of ‘verification’ for the people helping manage the response.”
It will happen to you
“Our business now is much more resilient and stronger as a result of the cyber-attack, but we learned some huge lessons in a very painful way. My advice to firms looking to improve their cyber risk management strategies would be: don't underestimate the impact on your business. It will happen to everyone to a degree, so don't disregard this as something that happens to other people. “
“Every board, every business has to proceed on the basis of, ‘It will happen to us.’”
A tale of two cyber-incident responses
Below are two examples of responses to a cyber-incident. The responses of the organisations starkly contrasted due to their different levels of preparedness.
Each incident caused the organisation huge financial losses, but Norsk Hydro’s response enabled it to limit the financial damage.
TalkTalk: A fractured and incoherent response following the cyber-attack in October 2015
- Closed down its website and froze social-media activity.
- Displayed a lack of knowledge of the scale of the attack (it was later found to be smaller than TalkTalk had anticipated).
- Attitudes towards how to respond differed across the organisation.
- The board did not have an adequate understanding of the technology.1
Norsk Hydro: Clear and open communication as part of an effective response plan following the cyber-attack in March 2019
- Used daily webcasts and social media posts to keep business partners and the media informed.
- Made it clear that it would not pay the ransomware attackers that had attacked its systems.
- Called in the police to investigate.
- Brought in experts to help.2
The stark contrast between these two companies’ experiences highlight the importance of having a robust response plan in place before a cyber-attack hits.
TalkTalk’s Director of Corporate Affairs and Regulation, Jessica Lennard, outlined the lessons the organisation had learnt shortly after the attack: “One of the key learnings for us has been that cyber security is really a business issue, not a technology issue. As a complex, technical area, it’s more likely to be dealt with in a silo by tech or IT departments, than properly understood and mitigated across the whole company. We’ve made a comprehensive effort since last year to truly embed security in everything we do." 3
Preparation is everything, and businesses cannot afford to be left in the dark.
1InfoSec 2018. TalkTalk hack – lessons learned – the board perspective, SC Media, June 2018
2Experts praise Norsk Hydro cyberattack response, TechTarget, March 2019
3Fraud and Risk Focus Blog, CIFAS, June 2016