Date: 22 July 2020
Cyber threats loom large today. So, have you wondered what actually happens during a cyber-attack? Can cybersecurity training and specifically incident response training help the chaos and pandemonium that ensues? In this blog, our CEO, Amar Singh, globally acknowledged expert on cyber resilience and crisis management, and creator of the NCSC-certified Cyber Incident Planning and Response course elaborates.
See what's in the blog below:
- Mistakes are made
- Evidence is tampered with
- Facts become elusive
- Communications are mired
- Mental health takes a hit
- STOP the mayhem and reduce the Panic.
An indescribable adrenaline rush, panic attacks, flaring tempers, flying files, tonnes of chaos, a lot of confusion, blame, guilt, desperation – does it sound like a scene from a sitcom?
Well, it’s also what exactly an organisation under attack looks like! Cyber criminals don’t 
discriminate based on size and sector when they attack. Their motives can be hard to fathom and their skills and modus operandi difficult to gauge. The only thing you can do is be prepared!
You need to know what a cyber-attack looks like and what happens when a business’s gold mine – its confidential client or customer data – is severely compromised.
What really happens during a cyber-attack and how the damage can be mitigated
1. Mistakes are & will be made
This is stating the obvious and the unavoidable. In a state of panic induced by the attack, decisions are made in a rush. Facts aren’t communicated clearly with key stakeholders and too many times businesses that have been under attack have failed to inform regulators in time, leading to hefty fines and loss of business reputation. All of these mistakes cannot be avoided because your incident response team is made up of humans and human beings make mistakes when under pressure.
But what can be avoided is the Headless Chicken Syndrome that often manifests itself in the chaos and confusion that follow an attack. 
This syndrome and its effects can, indeed, be mitigated to a large degree and the number of mistakes can be reduced if your team is trained well. If you have a solid incident response plan in place and have incident response playbooks to fall back upon, chances are that inadvertent and careless mistakes during an attack will be reduced and your staff will know, at least at the onset, what they should and shouldn’t do. 
2. Sanctity of Evidence.. Wait, What Evidence?
The most common problem that emerges in incident response is the deletion of evidence. Vital evidence of the attack and how it took place is often deleted – either on purpose or accidentally. Integrity of evidence is sacrosanct to effective incident response. It helps the IT and security team understand the attack methodology, figure out what can be done to control it from spiralling out of hand and also for preventing similar situations from recurring in the future. Evidence is also essential to regulatory compliance for reporting the attack correctly. Evidence, therefore, must never be tampered with, under any circumstances. The only way to achieve this is to have regular training that makes preserving evidence second nature in times of a crisis and having a Cyber Incident Response Checklist that every member of the response team is so familiar with that it becomes a part of their muscle memory.
3. Facts are Nowhere to be Found!
In the aftermath of an attack, everyone is clamouring for FACTS but NONE are usually available. It is debilitating to not be able to know the impact on the business and/or not being able to rapidly identify the impact on the data subjects (ref. GDPR and breach notification). It is also essential to know if the data was encrypted and who has access to it. .jpg?width=144&name=Facts%20(1).jpg)
While knowing everything may not always be possible immediately after an attack, it is important to record all the facts on physical writing devices! The chain of events during the attack, any new facts that are emerging during triage must be mapped, but not on an electronic system that is already compromised.
4. Communication - Major Headache
Inconsistent communications are another oft-seen byproduct of a cyber-attack. Due to the charged emotions, the mayhem and the chaos, communication threads in a crisis start to be coloured and corrupted with prejudices and personal notions. This must be avoided at all cost as apart from further adding to confusion, unclear communications can have legal repercussions.
The only solution to this challenge is a clear-cut crisis communications strategy. This strategy shouldn’t just enlist what steps to take and whom to communicate with, but it must also lucidly define the taxonomy to be used and ban words that create further confusion and are misleading. Crisis communications is an imperative and very essential aspect of cyber incident response training. Any staff member who will play the lead role in crisis communications with stakeholders and the media must be thoroughly trained in this aspect, while all other team members must also be given basic orientation.
5. Did anyone say Mental Health?
It’s easy to forget that a crisis for the business is also a crisis for the staff – a serious mental and emotional challenge that can have far-reaching ramifications. Remember that when your employees are at their most vulnerable that they’re also most likely to make mistakes.
.jpg?width=200&name=stress%20(1).jpg)
If you want to save your business more damage than it has already suffered, make your employees’ mental health a priority. Don’t blame anyone. Don’t admonish anyone in public for the attack. Show appreciation for those who have displayed patience and agility in dealing with the attack. Those who are clearly under severe pressure must be encouraged to take time off. Mental health of your staff must never be made collateral damage in a cyber-attack.
Steps to Avoid the Chaos and Confusion
If the above scenario sounds intimidating. It is. Our team of experts has seen the above and more. To be honest, it's inevitable. However this mayhem can be avoided. How?
- Plan, Test & Build Muscle Memory: Everyone has some sort of incident response plan. However, have you rigorously tested these plans? Do they work? Does everyone know their roles? We recommend you also run tabletop exercises as they are an extremely effective way to 'kick the tires' of your plans.
- Cybersecurity Training: Generic training is good but get your mid and senior management trained in planning and response strategies. We have a UK-Government NCSC-Certified training course on Cyber Incident Planning & Response that offers a non-technical course fit for a wide range of audience. There is a virtual classroom and e-learning option available as well.
- Have a solid Incident Response Plan: We cannot stress enough on the importance of a working, fit-for-purpose cyber incident response plan. Check our Cyber Incident Response Plan Template.
- Playbooks: During a crisis even seasoned professionals need that additional bit of reference to ensure they are on the right track. No body expects you to have a photographic memory, especially not when you are under massive stress. Build playbooks for every critical scenario and ensure that they are tested and fit-for-purpose.
About the Author: Amar Singh is the CEO and founder of Cyber Management Alliance. He is an industry influencer and cybersecurity thought leader. Amar has served as CISO for various companies, including News International (now News UK), SABMiller, Gala Coral, Euromoney and Elsevier. He is the creator and trainer of CM-Alliance’s flagship course, the NCSC-Certified Cyber Incident Planning and Response training. Amar also facilitates Cyber Management Alliance's highly successful Cyber Tabletop Exercises, apart from delivering specialised internal consultancy on Crisis Management, Incident Response Playbooks and Media Communications.
More Information on the Certified Cyber Incident Planning & Response Course
The CIPR course is the perfect stepping stone for those who want to understand the basics of cybersecurity, cyber resilience and for developing core competencies in planning, detecting and responding to a cyber-crime.
Not only is the course delivered by one of the most renowned cybersecurity trainers in the world, Amar Singh, it comes with a great reference material pack including worksheets, checklists, mind maps and free templates. It is the easiest and most effective way to enhance the efficiency and cyber-resiliency of your staff and make your business more compliant with data breach response regulations.
