Author: Johnty Mongan
Cyber incidents often occur without warning and at inopportune moments. When they do, the unfolding crisis can cause conflicting opinions on the necessary action and also impair people’s judgement, so it’s important to have a documented and agreed plan in place to guide your response.
Despite the increase in cyber-attacks in recent years, and the constantly changing nature of the threats, less than one fifth of businesses have a formal incident response plan for managing cyber incidents.1 Even more concerning, one in ten organisations has no plan at all.2
The four stages of a cyber-attack
To understand how to protect your organisation from a cyber-attack, you first need to understand how an attack works. In general, there are four stages to a cyber-attack.3
Survey—investigating and analysing available information about the target in order to identify potential vulnerabilities.
Delivery—getting to the point in a system where the attacker has an initial foothold in the system.
Breach—exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
Affect—carrying out activities within a system that achieve the attacker’s goal.
19% of businesses have a formal incident response plan for managing cyber incidents.1
1 in 10 organisations do not have a cyber incident management plan at all.2
How to prepare your response plan
Work out your threat actors—one of the key factors in preparing your organisation’s response plan is working out the ‘threat actors’ (the groups or individuals capable of carrying out a cyber-attack) relevant to your organisation. This can help you make decisions on what you are actively going to defend against.
Contain the incident—it is important to contain the incident before it overwhelms resources or increases damage. To do this you will need to first determine the ‘how, what, where and when’ to confirm what kind of incident you are facing. Then, swift action will be needed to contain and isolate the affected systems. After the incident has been contained, eradication may be necessary to eliminate components of the incident, as well as identifying and mitigating all vulnerabilities that were exploited.
Take the necessary action—your plan must clearly state what action needs to be taken and by whom. This could involve, for example, calling in a contracted incident response company, taking down a public-facing website, notifying the relevant supervisory authority of a data breach, making a statement to the media, etc.
Investigate, recover and remediate—investigating the incident thoroughly with the help of a digital forensic team can help you understand the cause of the attack and what data has been compromised. This can help uncover any unpatched vulnerabilities or security loopholes that you may need to address.
Cyber incidents can occur in countless ways, so it’s difficult to develop step-by-step instructions for handling every single possibility. This is why partnering with a cyber risk management specialist can be so important—regardless of the size of your organisation or the sector you work in.
Gallagher’s Cyber Incident Response Clinics
Gallagher’s Cyber Risk Management team runs regular webinar clinics, providing a deep insight into how to plan and prepare for cyber incidents. The clinics provide a small, informal setting where we will help you identify, analyse and evaluate where the risks may be within your IT estate.
These sessions are aimed at the questions you should be asking about your cybersecurity and how to conduct a successful ‘lessons learned’ exercise in the event of an attack—allowing you to strengthen your cyber defences. To find out more about these webinars and how to book a place, click here.