The Cyber Resilience Centre for Wales’ (WCRC) Community Ambassador member, Exercise3 is a business in the UK dedicated to creating and running realistic cyber exercises. The organisation, which is an NCSC-approved cyber incident exercise provider, helps businesses learn how to respond to a real-life cyberattack, providing them with the knowledge and skills necessary to be fully prepared if they ever did fall victim.

With decades of experience in dealing with complex cyber incidents and running exercises, Exercise3’s founder Elliott Atkins takes us through what factors businesses need to consider when faced with a cyber-attack.

Communications 

This is probably the biggest challenge during a cyber incident. Firstly, how are you going to communicate when your IT systems might not be working, or you may not be able to trust them? Have you got a safe, secure way to coordinate your response activities? Sometimes the quickest way is just to decamp into a room with a whiteboard!  Consider other types of methods to use when reaching your staff, customers, suppliers and stakeholders and then make sure they’re tried and tested.  

Even if you do have a comms channel that doesn’t rely on your IT (like SMS or WhatsApp), I often find that contact details for staff, customers and suppliers are all stored on IT systems, which may be unavailable during an incident. Ensure there are offline copies available along with a hard copy of your response plan.

Once you’ve worked out how to communicate, and who you’re going to communicate with, the next challenge is knowing what to say. Are there certain words or phrases that you want to avoid, like saying “we’ve been hacked” or publicly attributing the believed source of the attack? If so, consider having some pre-written, pre-approved comms statements which you can use, rather than trying to create something in the middle of a crisis.

Single Points of Failure

These are key pieces of technology, data, or knowledge that, if compromised or disrupted could bring down an entire system or network causing your business to come to a crashing halt.

When it comes to a cyber-attack, it is crucial to identify potential single points of failure, understand their significance, and implement effective strategies to address them.

They can be broken into five groups:

• Hardware failures

• Software failures

• Power outages

• Network connectivity

• Human error

Normally, in my experience it’s individuals within an organisation who have specific knowledge, and which isn’t written down anywhere so the whole response relies on them being available. Other times it’s single points of failure in the systems and infrastructure needed to return to business as usual. 

Third party reliance

Every business is reliant on others for its successful operation, and this is particularly true in IT and cyber security. From internet service and hosting providers, software and hardware suppliers, right through to managed security services, most organisations have a complex web of contractors who may need to be engaged with during a cyber incident. Testing those linkages and relationships before a crisis occurs is something which can pay dividends, especially if you rely on third parties to be part of your response activities.

Be ready for the long haul

 The after effects of a cyber-attack can take weeks, or even months to resolve. Incident response plans are often written as a set of steps which will occur sequentially but in reality, the response activities often loop back around as new evidence comes to light, and different strands of work may be operating in parallel.

Very few incident response plans take into account the same small core team of responders who may well be working on multiple incidents at the same time. This can prove both physically and mentally exhausting after a few months. The wellbeing of staff, and the fact that certain IT systems may be unavailable for prolonged periods should be planned for and rehearsed.

Restoration plans 

 These are often a forgotten or untested piece of the puzzle. Once you’ve contained and eradicated the threat, you will want to begin recovery actions as quickly as possible. However, in most businesses, there is a logical order to bring things back online. For example, there’s no point restoring end-user computing if your domain controllers or mail servers aren’t yet working. Documenting and testing dependencies, as well as identifying business-critical systems will help to guide and prioritise restoration efforts.

For companies looking to bolster their cyber resilience through ‘cyber-exercising’, The National Cyber Security Centre (NCSC) recently launched a new Cyber Incident Exercising (CIE) scheme to assist UK businesses in finding high-quality providers to help them rehearse, evaluate and improve their cyber incident response plans. 

The WCRC’s Community Ambassador membership programme is made up of an increasing number of Welsh organisations which are committed to strengthening the region’s cyber security resilience through awareness and knowledge sharing across the business community. So, if you’re interested in signing up, please contact us for more details.