Being ready for attack

No organisation is safe from a cyber-attack. That is why it is vital to have a crisis plan in place to limit the damage of a major event. Zilla Efrat reports.

It is not if, but when, a cyber-attack could happen. That is why directors need to ensure that their organisations have a crisis plan in place to respond to and limit the fallout from a major incident. Yet, recent research by BAE Systems Applied Intelligence found that 39 per cent of Australian organisations did not have or were not aware of a crisis response plan in the event of an attack. At the same time, 84 per cent of those surveyed expected the number of cyber-attacks to increase in the next two years.

Richard Watson MAICD, managing director, Asia Pacific and Middle East, BAE Systems Applied Intelligence (Twitter @BAESystems_AI), observes: “While some attacks will have minor impact, others may threaten the reputation of the organisation and a poor response to these attacks will often increase the fallout from a major incident. Consequently, the organisation needs to have effective processes to identify attacks early and then respond to these in a structured and repeatable manner, with a clear delineation of responsibility.”

He adds: “It is common for recovery plans to fail on first contact with a major event. They need to be tested to ensure they are effective and sufficiently flexible to cover a range of risks, such as critical system outages, loss of system integrity or a compromise of sensitive data. They also need to consider the full range of stakeholders that need to be kept informed, such as customers, staff, media or regulators.”

Watson says boards and management should consider the following when drawing up a plan:

• Do we have an adequate understanding of our environment to make decisions in the event of a crisis, including which systems (internal and external) underpin critical business processes or hold sensitive data?
• Do we have the ability to detect the more sophisticated and targeted cyber-attacks? Do we use independent analysis to look for signs of active compromise?
• Is the cyber crisis response plan documented and regularly tested? Is there a clear chain of command, particularly if critical business systems need to be shut down? Does the plan consider the full range of stakeholders who might need to be kept informed?
• Are agreements in place to promptly mobilise in the event of a crisis?

Watson notes: “The role of the board should be similar to its role in a conventional crisis plan. One major difference is that in a conventional crisis, often a single incident, the extent of the crisis can become clear within the first day. But in a cyber-related crisis, the circumstances, extent, cause and motives of the attack can sometimes be unclear for days while an investigation is undertaken. This means that in the early stages, communications and decisions may need to be made with a only a limited understanding of what is happening.

“The split of responsibility between the board and management needs to be clear in the event of a crisis. Otherwise there is scope for a poorly coordinated response or for board action that directly undermines or interferes with management actions at a time when decision making needs to be quick and effective.”

Red flags 

Watson says the following may signal to directors that a company has not devised an effective crisis plan for cyber-attacks:

• Well documented plans which have not been tested, communicated to the relevant people, or signed-off by senior management. 
• Plans which are overly specific to one type of incident and neglect others.
• Lack of clarity around decision-making and responsibilities. 
• Lack of adequate or up-to-date documentation on network and system architecture.
• Lack of integration with broader crisis management plans.
• Lack of a preferred provider for expert incident response assistance.
• A poor ability to detect a covert cyber-attack, which can mean the organisation is losing information for months (or even years) before the attack is noticed and a crisis declared.