Cyber-incident response

Dr Amy Hughes-Stanley at Beyond Blue advises that organisations of all sizes and in all sectors must prepare for the inevitable - a cyber-breach

 

A recent study from Comparitech revealed that a record-breaking $133 million was paid to ransomware actors in 2024. These criminal groups compromised over 195 million records by launching successful attacks against thousands of organisations across the globe - catapulting them into uncertainty, both financially and operationally.  

 

The figures underscore the prevalence of cyber-crime today and highlight the financial losses organisations are frequently enduring. They also serve as a wake-up call for organisations to prioritise their cyber-resilience measures. 

 

However, safeguarding organisations and their complex digital and supply chain ecosystems isn’t solely about deploying tools and security solutions to deter attackers. 

 

It’s equally crucial to have plans in place to ensure organisations can effectively recover from incidents, even when determined cyber-criminals inevitably do break through their defensive barriers.

 

Recovery: equal to prevention

In today’s interconnected world, no organisation is immune to cyber-attack. Attackers are becoming increasingly sophisticated, while organisations are growing increasingly vulnerable as their digital ecosystem grows. 

 

From complex supply chains to spear phishing employees to compromising vulnerabilities in ubiquitous enterprise software, criminals now have a plethora of avenues to compromise a target. 

 

This is bad news for organisations, but it also reinforces the importance of preparedness. If not all attacks can be prevented, the importance of minimising their impact and safeguarding business continuity and recovery becomes even more paramount. 

 

But this level of resilience can only be achieved when organisations have well-oiled recovery plans in place.

 

Incident response planning helps organisations prepare for attacks and can act as a blueprint for managing the fallout of a breach, detailing clear procedures for containment, eradication, recovery and communication. Without this structured approach, businesses often face prolonged downtime, reputational damage and significant financial losses when incidents occur. 

 

However, just having a plan written up isn’t enough. If the plan simply sits on a shelf gathering dust, organisations never know for sure if what they have written down in theory will work in practice. 

 

This means for incident response planning to be effective, organisations must regularly exercise their plan as well. 

 

Cyber-incident exercising 

Cyber-incident exercising allows organisations to test their response to disruptive events in a failsafe environment, so they can understand how effective their plans are, and where they fall short. 

 

They also provide an opportunity for employees to test out their roles and responsibilities and ask questions, helping prepare them for real events. 

 

When it comes to running incident response exercising, organisations should identify various scenarios which could impact their operations and then rehearse their response to them. 

 

In the cyber-security realm, this could mean running a ransomware exercise, testing an organisation’s response to a data breach or rehearsing an organisation’s ability to function during an outage at a key partner. Every organisation will be different, but the key is to identify a set of plausible scenarios which would have a detrimental impact on the organisation if not managed properly.

 

Scenarios can be exercised in several ways, from tabletop, live real-time simulation, or a hybrid approach. No matter the approach, they should be as realistic as possible to give organisations a realistic view of how their existing strategies will perform in a major disruptive incident. 

 

Some of the key questions that could be addressed in the exercising, include: 

• What role does each employee play in responding to and managing the incident?
• How can the Incident Response (IR) team be communicated with, does the organisation have a way to communicate with the IR team if emails are down? This could be logistical issues, for instance, to avoid relying on applications like WhatsApp and old-fashioned call trees, identifying and embedding approved and secure alternative communication mechanisms.
• How are stakeholders going to be communicated with during ongoing incidents and who needs to be informed about incidents? This might include customers, employees, legal, insurance, the Board, law enforcement, regulators and the media.
• Do we have a map of the digital estate to understand the impact of a cyber-incident or outage?
• What are our priority services and systems that need to be brought back online first following recovery from an attack?

Though these are just examples and each organisation is unique, practicing responses to these questions through exercising can help tackle technical, logistical, and communication issues likely to arise during a real security incident.  

 

While planning is essential, inevitably not all situations can be forecasted. When a real incident does occur, organisations should not only put their rehearsed response into action, but it’s also vital to update plans when unexpected situations arise. 

 

One of the biggest misses following an actual incident is to not conduct a thorough debrief to help better prepare organisations to deal with future incidents. The debrief and subsequent reported recommendations are critical in turning ‘lessons identified’ into ‘lessons learned’.  

 

Cyber-attacks are inevitable today, so organisations must prepare for incidents and prioritise their ability to recover. By adopting a proactive approach to incident response exercising, businesses can reduce downtime, minimise damage, protect their customers and improve their resilience - safeguarding their survival even when adversity strikes.

 

---

 

Dr Amy Hughes-Stanley is Cyber and Resilience Consultant at Beyond Blue

 

Main image courtesy of iStockPhoto.com and solarseven