A cyber attack is any attempt to expose, alter, disable, destroy, steal, gain unauthorised access to or make unauthorised use of an asset.
According to the UK Government’s ‘Cyber Security Breaches Survey 2019’1, 32% of businesses reported having a cyber security incident in a 12-month period. For businesses that lost data or assets after breaches, the average annual cost was up to £22,700. However, the direct cost is just one aspect of such incidents – indirect, long-term and intangible costs tend to be overlooked (e.g. lost productivity, reputational damage, and the effects on the operating environment and people). This means that organisations may not fully appreciate the full consequences of breaches and fail to make adequate provisions.
Ricardo recommends a three-step framework to increase corporate cyber resilience – readiness, response and recovery.
Individual readiness builds the foundation of corporate preparedness and comes in the form of basic good housekeeping (e.g. password protocols, user education, awareness raising and training).
Corporate preparedness includes adopting an organisational security standard, raising information security awareness, educating staff, establishing resilient cybersecurity policies and creating an IT-specific risk assessment – backed with investment in IT teams and defences. It also involves preparing a business impact analysis (BIA), business continuity plan (BCP) and crisis management plan (CMP).
Cyber readiness should go hand in hand with IT system testing, including penetration testing. Working with IT team members to ensure they can anticipate, assess, prevent, prepare, respond, contain and recover systems quickly.
The response to a cyber attack should be measured by its scale and the extent to which it cross contaminates systems. It must be addressed operationally, tactically and strategically, and be led by the BCP and CMP.
Business continuity plan
A BCP enables critical activities to continue and starts with preparing a BIA. A thorough BIA identifies the people, systems, equipment and workspaces required to support and deliver critical activities. It sets recovery time objectives (RTO) based on the maximum tolerable period of disruption (MTPoD). Mitigation strategies in the BCP should ensure critical products and services are not affected by an incident, and that robust and rapid recovery mechanisms are in place or that workarounds can be implemented.
Crisis management plan
CMP ensures wider coordination of a response to reduce impacts on people, the operating environment, assets and reputation. CMPs mitigate the potential for these impacts by putting in place structures and systems to ensure a coordinated, coherent response.
During the WannaCry cyber attack, many NHS hospitals managed without IT systems for more than 72 hours. While IT teams worked to identify affected systems and install patches, hospital command teams coordinated the operational response, ensuring patient and staff safety without access to the usual systems and processes. The effective coordination of staff, clear communication to all stakeholders and their coherent response strategies ensured the NHS looked after its patients and maintained its reputation throughout the cyber response.
Following the initial response to a cyber attack, it is crucial to map the recovery of business and IT systems to reduce the long-term impacts. The BCP and CMP should outline separate processes for tactical and strategic operations during the recovery phase.
Initial tactical recovery should be driven by the BCP, ensuring that critical activities are brought back online as a matter of urgency. Tactical recovery should endeavour to prevent any system reaching its own MTPoD, so minimising wider business effects. After the initial phase, the CMP focuses on long-term effects and wider thinking following leadership decisions made at a strategic level.
Strategic recovery concerns wider corporate recovery and short-term business continuity. Longer term reputational impacts should be assessed and mitigated through effective stakeholder management and communication to rebuild trust in the organisation.
Tactical and strategic lessons learnt from a cyber attack should be embedded into the BCP and CMP to improve readiness, response and recovery for any subsequent incidents.
Training and exercising
Training and exercising will enhance readiness, response and recovery in an organisation. All resulting learnings should be included in the BCP and CMP.
Training for an operational response should focus on non-technical skills, which are the core building blocks to successfully tackling incidents:
Situational awareness – this is your ability to collect and process information, and then make projections about potential impacts; looking for the worst-reasonable and most-likely future states.
Decision making – decisions should be timely, effective and defensible. They may not be easy to make or correct (with hindsight), but must be justifiable given the information available at the time they are taken.
Leadership – leaders should be strong and assured, and work within the flexibility and adaptability of the BCP, CMP and their own leadership styles. Leaders should react to the situation, consult others when required, and operate a command and control system as appropriate.
Communication – effective, efficient, timely and clear communication in a common language is crucial.
Exercising your cyber response
Exercising should be conducted at all levels, from ensuring the IT team has appropriate responses for specific threat types through to strategic leaders focusing on wider stakeholder management, communication and decision making. It helps to improve the skills of the responders; assess the performance and vulnerabilities of IT security features, the BCP and the CMP; and test the effectiveness of workarounds.
Helping your organisation improve its cyber resilience
The response to each cyber attack is complex and unique – with impacts crossing stakeholders, lasting years, and touching every part of corporate and social establishments. Fortunately, the cyber industry continues to develop new security methods. However, with the increasing reliance on cyber systems, the threat increases and so do the challenges for corporate response, which relies on having plans in place and non-technical skills developed.
Ricardo is committed to working with its clients to mitigate the challenges posed by any incident. We use a bespoke methodology to enhance readiness, response and recovery with innovative training and exercising to build the most effective response at operational, tactical and strategic levels.
1 Contains public sector information licensed under the Open Government Licence v3.0 (www.nationalarchives.gov.uk/doc/open-government-licence/version/3/