Andy Taylor, lead assessor, APMG
Andy Taylor, lead assessor, APMG

The chances of being hacked or suffering a breach of some sort are now higher than ever and only increasing. It is vital that organisations, large and small, understand what they need to do after a breach, much of which can be summed up in a single word – planning. 

There is ample evidence to show that the chance of being breached is effectively 100 percent - essentially not if it happens but when. With this in mind, the main consideration should be the potential impact of a breach, estimating the value of the information including the expense and difficulty of replacing/recovering it and the embarrassment its loss might cause.

Assuming a breach has happened, what happens next and what should be done?

Expect the worse! 

The cost of trying to protect all information within an organisation makes such a policy unrealistic. Therefore, expect the worst situation to be an attack on the most valuable information held. With any luck, the plans put in place will be more than enough to deal with any situation that might arise. 

An incident starts by recognising that something untoward has actually happened and to determine as quickly as possible the following;

  • What information is at risk (where is the breach)?
  • When the breach took place? The attacker dwell time in this context is the time between a breach occurring and its detection, and it is quite possible for this to be many days if not months.
  • Whether the attack is ongoing or complete?
  • The main method(s) used for the breach (perpetrators and tools used). 
  • The primary purpose of the attack? Is this the intended target or merely a way of trying to access another more valuable target, further up the supply chain perhaps?

Naturally, the initial investigation will not provide full answers to some, or all, of the questions but a start must be made. Speed is of the essence, especially if the attack is ongoing. Actions that can be taken might involve closing connections within the organisation, with other partners and/or to the internet. This will reduce the risk of further development of the attack, exfiltration of information and spreading of the attack to other areas.

All this should be documented in an incident management plan that is tested on regular occasions. Testing can be done by “war gaming”, bringing in specialist firms to pretend to be the enemy attacker and to help hone the skills, confidence and competence of the in-house staff.

If you work in a large company, public body, or perhaps a smaller organisation of note, all the above must be done in anticipation of the very high level of interest the press and regulators will have in your incident.  A media management plan and ways of dealing with all the stakeholders including staff, media, regulators, suppliers and clients/customers is critical.

What next?

What follows on from this initial activity rather depends on the findings of that initial assessment.

It is highly likely that in most cases there is going to be some form of legal or contractual action taken subsequently. This could be dismissal of an employee, action against a competitor or wider action against criminal cyber-gangs. Regardless of who it might be, it is vital that evidence is gathered appropriately, requiring major planning. Irrespective of the size of the incident, hard evidence will need to be presented; including “cyber” evidence of breaches or other unauthorised activities.

Long before any incident occurs, a plan needs to be in place for gathering evidence. There will always be a conflict between the business's desire to get back to business as usual, and the need to gather and preserve forensic evidence. That evidence-gathering might require carrying out tasks that are likely to be very detrimental to the normal workings of the organisation. Agreeing with senior management the priorities between these two conflicting requirements is critical and is likely to take a lot of time and effort.

There are specialist firms offering forensic services who will do the necessary technical work to determine what happened and why, whether there are ongoing issues and provide the necessary support to get things back on track. Their activities though will have a serious impact on the normal operations of the company. 

GCHQ has an approval service, The Cyber Incident Response (CIR) scheme, that provides access to companies that are certified to a GCHQ standard. The work they do will include:

  • Forensic analysis of the incident which provides lessons to be learned;
  • Provision of forensic evidence
  • Help to clean up the mess made by an attack, and to get the business working effectively again;
  • Provide advice on how to reduce the risk of a further attack and the mitigating actions that can be taken.

Help is available

The National Cyber Security Centre (NCSC) has recently been set up to centralise the advice and guidance available from several different parts of government.  www.getsafeonline.org is an excellent starting point for advice at any level for all organisations.

The Cyber Defence Capability Assessment Tool (CDCAT®), developed in the UK, is a maturity assessment of your system and will provide helpful advice on the steps to take to improve security across the board. 

Training for staff is a critical element in the fight against cyber-attacks. Teaching staff what a bad email looks like, how to decide if a link in an email is good or bad and what to do if they see strange web sites are all valuable lessons.

Final thoughts

The chances of any organisation large or small suffering a cyber attack are still extremely high; it is now widely accepted that it is not if but when. 

Planning is critical, specifically focussing on:

  • Incident management
  • Forensic readiness
  • Media management
  • Business continuity
  • Disaster recovery

There will be significant conflicts between the requirements of these plans. Discuss and agree the way these conflicts should be managed prior to an incident when there is no pressure, rather than when the heat is on, post incident.

Testing the plans regularly and learn from the mistakes that will always be made and remember that it's never too late to start planning!

Contributed by Andy Taylor, lead assessor, APMG