Back to Resources

8 Key Lessons in Managing Cybersecurity Incident Response
By Jamie Saunders
8 Key Lessons in Managing Cybersecurity Incident Response

For the past decade of my career, I’ve been deeply involved in the cybersecurity space – working on cyber crime issues and cybersecurity policies for the UK government, as well as serving as a board member and advising businesses on their own cybersecurity policies and helping them formulate a response to cyberattacks – both in preparation for potential attacks, and in the aftermath of when they actually happen.

People have a lot of misconceptions about how cyberattacks might impact their organisations. In this article, I’d like to share some lessons I’ve learned from my experiences in the trenches.

  1. When an incident takes place, the entire organisation is impacted.

    When an incident hits, your chief information security officer and IT department are busy trying to understand what happened and trying to recover systems. They’re not focused on managing the consequences for the business, even though the organization has to continue operating through an incident.

    When the crisis management team is discussing their response, 70% or 80% of the conversation is about managing the consequences, rather than the operational factors of the incident. But obviously, both are incredibly important.

    Before an incident takes place, your organisation needs to ensure that everyone understands their roles and is equipped to perform them. Good crisis planning and meaningful exercising are the way to do this. Lots of organisations do this for crises of all sorts, but assume that cyber crises are somehow different and that everything will be the responsibility of the technical experts. This is not so.

  2. It’s critical to define a clear line of command.

    Organisations can get rapidly overwhelmed with the need to juggle technical response, business response and stakeholder management. Delegation based on clear accountability is key. Keeping track of who is doing what is essential, and any actions slipping to the right needs to be picked up quickly.

  3. Having easy access to the right information in the heat of the crisis is essential.

    Organisations usually have a good handle on their physical assets, but a less intuitive feel for their information assets. For example, what information is held, who/what are the data subjects, where is it stored, and who has it been shared with? Crisis Management Rooms often have maps of physical plants on the walls, but few have maps of the information architecture to understand where all the data is contained and who has access to it. This makes managing, say, a data breach very difficult.

  4. Clearly define your operational protocol, and the situations in which employees can act independently rather than waiting for direction.

    Speed is of the essence in the aftermath of a cyberattack, but employees often find themselves waiting for instructions on how to respond or if they have authority to make a decision. Instead, follow the example of the military’s Mission Command. Military commanders are very clear about what outcomes they want and the parameters within which people should operate, and then they are able to delegate with confidence, because people know what they're trying to achieve and they know the parameters within which they need to achieve it.

  5. You’ll rarely have an overall picture of the damage from an incident immediately – so proceed with caution when sharing information publicly.

    Cyber crises are opaque, in that it is difficult to tell at the start (or indeed in the middle, or even at the end) precisely what has happened. This is a massive challenge for both operational response and strategic messaging. In particular, the wrong messaging can make an incident far worse, particularly if it creates panic. Thinking about comms in advance and exercising discipline during an incident is crucial. In some cases, just a small fraction of customers might be impacted by a breach – don’t share more information than you’re required to before you know the whole story, or you’ll risk causing undue fear and attracting more attention than is warranted.

  6. It’s important to have a communications platform that you can trust that’s separate from your organisation’s infrastructure.

    If an organisation's core systems have been compromised, it becomes difficult to know what information you can trust. Are your internal communications secure? Is the information on which you are making decisions reliable?

    At this point, it becomes imperative to have a private dedicated platform that can be used for information gathering and sharing, that you know your attacker doesn’t have access to. Using a platform like Cygnvs provides a version of the truth that you can validate, trust, and rely on to make decisions about how to handle the fallout of an attack.

  7. Ensure that you have documentation of how your organisation responded to the attack.

    Any major incident is going to attract a lot of attention and a lot of post mortems – from customers, regulators, investors, politicians, and the general public. This means you have to be able to demonstrate that you made the right big calls: both pre- and post- incident. There will be lots of armchair generals telling you what you should have done. Record keeping can become very important. Most incidents end with someone saying “if only we had …”

    Being able to show that you did everything you could reasonably be expected to do to prevent an incident from occurring will help your organisation limit its liability, as will being able to show that you made the right calls during the management of the incident itself. And if you’re aware of mistakes that you made, you’ll be able to analyse the situation to ensure that you’ll be more prepared if another incident takes place.

  8. Keep an eye on the long game.

    While a cyberattack can seem like a terrifying prospect when it happens, over the long term, your organisation will be remembered for how it responded to it and the steps you took to limit its severity and to protect your customers. How will you want to look back on the incident? What are the really big things at stake? Is there a silver lining to even the darkest cloud? How can your organisation come out of the incident stronger?

    If you can show that yes, you had an incident, but you dealt with it in an exemplary way, that may enhance your organization’s reputation instead of detracting from it.

Despite all of your best precautions, your organisation may still find itself facing a cyber attack – but by putting a dedicated strategy in place beforehand, with technology like Cygnvs that helps you automate workflows, document your actions, and connect with key stakeholders on a private, encrypted platform that’s separate from systems that may be compromised, you will be able to quickly mitigate the impact of the attack and restore operations. By preparing for the worst-case scenario, you will be able to navigate through crises with agility – and come out stronger on the other side.

Jamie Saunders
Jamie is a strategic security consultant, providing security and risk management advice to a range of large corporations and governmental organisations. He is a Fellow of the James Martin School at the University of Oxford and a Fellow of the European School of Management and Technology’s Digital Society Institute. He is a member of the U.K. Government’s Expert Advisory Group on Cyber Resilience, a member of the Advisory Group of the U.K.’s Association of Insurance and Risk Managers in Industry and Commerce. He is also advising a number of digital security startups in the U.K., U.S. and Japan. Jamie retired from the Board of the U.K. National Crime Agency in 2017 after 29 years of public service, the majority at the U.K.’s national signals intelligence and cyber agency, GCHQ.