Practical Strategies for Responding to a Cyber-Attack

November 1, 2019 | David Krebs

The author would like to thank the co-author of this article, Claudiu Popa[1], for his contributions and expertise in this area.

Organizations across industry sectors are learning to recognize just what cyber-attacks look like, as Canadian companies are experiencing dozens of such attacks each year, according to a recent study.[2] Increased enforcement by regulators in the European Union, Australia and North America translates to an incremental amount of public scrutiny on organizations that experience data breaches not only abroad, but now more than ever here in Canada. Experience tells us that having a readily available toolkit with practical strategies for responding to a cyber-attack plays a pivotal role in mitigating organizational risk and reducing potential harms to any third-parties impacted.

In this article we describe four of the most important aspects of a proper response alongside the pitfalls to avoid. Let’s begin with the end in mind. What are some of the common problems with a chronic failure to properly address breaches?

  • Slow to react: For many different reasons, an organization can find itself in a situation where it takes too long to engage, react and report on the incident. This can lead to panic, embarrassment, fear and avoidance situations that can result in serious and damaging outcomes, such as downplaying the severity of the breach. This in turn leads to a vicious cycle of embarrassment, prolonged and heightened public scrutiny.
  • Jumping the gun: unprepared respondents can instinctively react to incidents by shutting down critical operations, deleting valuable evidence or even causing damage to information assets that could have been salvaged. In such cases, the investigation can be compromised, leaving little indication of the extent of the original breach impact. In such cases organizations have little choice but to assume the worst and err of the side of over-reporting rather than precisely stating the extent of the damage.
  • Lack of coordination: When overall priorities are not properly managed or communicated, decisions are made in a vacuum and reporting to management is inconsistent. Unfortunately this can lead to inconsistent external messaging and legal notification, with all the compliance and legislative impacts that this entails.

If your organization is concerned about future cyber attacks, you’re not alone. According to the 2018 CIRA Cybersecurity survey report, 88% of Canadian companies share similar concerns. To avoid the above common pitfalls, organizations should follow these “Dos and Don’ts” for dealing with cyberattacks.

DO:

Detection: Have the right processes and detective safeguards in place to find out about malicious situations.

The best response plan cannot be effective if perilous incidents are not detected in a timely manner.  Detective controls don’t have to be expensive or complicated:

  • File and folder auditing is always an integral feature of an operating system. That means any files that are accessed – read, written or deleted – are recorded in event logs for later review.
  • Firewall intrusion detection systems (IDS) are a common feature of modern network devices. These can be open source and free, or optional capabilities of firewalls that report on unusual network activity and can be an early warning system for data breaches.
  • Cloud service providers also have their part to play in detecting nefarious activity. Be sure to scrutinize your service agreements and specify that you need to be notified of any activity with a potential security impact on your operations.

Know and empower your team: identify your response team and make contact with your selected legal counsel/breach coach well in advance of an urgent situation.

Establish a committee (before an attack occurs) and give it a clear mandate, empowering its members to make decisions in the event of an attack. This includes identifying the chair of the committee and setting clear expectations of what they are authorized to do in the case of a cyberattack. The chair or project manager should be experienced in dealing with budgets, giving instructions, and in dealing with upper management. The committee should also be balanced in terms of expertise (core areas: communications, legal, and IT).

Test your response plan:

Think of your response plan as a living document and a process that improves and evolves over time. Outline your response plan in advance and test it against different simulated scenarios. Every crisis is unique in its own way and every organization has different needs, so another organization’s response to one attack may not be appropriate for a breach your organization might encounter. Also, ensure management is aware of the plan as well as the resources proper execution of that plan will require.

Ensure effective communication between management and the breach response team

Management needs to be informed about the risks facing the business. Cyber-attacks are no different in this respect. The difference is that the size of these risks can change quickly and so it is essential to find a balance between over and under-informing the leaders of the organizations, making sure key developments are communicated so time and budgets can be prioritized.

DON’T:

Have a false sense of security

Ensure that warnings and alerts are seen by the correct people, with the ability or authority to trigger a breach protocol. Organizations should be aware that, despite their best prevention efforts, they could still experience a cyberattack. Having a plan does not mean one is immune to risk. A portion of any cybersecurity budget should be allocated to identification.

Downplay the situation

It can almost be instinctive to want to downplay the severity of the breach. Instead of downplaying the problem, focus on transparency and the proper sequencing of response activities.

Similarly, assigning blame should not be the focus of your efforts. While it’s tempting to do these things to try to shift focus away from your organization, it will just detract from efforts to quickly resolve the crisis.

Discount users as being part of your security framework

Users want to be empowered and feel like they are contributing; organizations should let them do that. Train your staff and keep them in the loop. People are a significant factor in an organization’s success in minimizing the damage of a cyberattack, so it’s important to allocate resources for raising awareness among them.

Conclusion

It is important to swiftly react to a cyberattack, but if the reaction is not appropriate for the circumstances it has the potential to cause additional harm. These Dos and Don’ts offer a starting point for an organization looking to draft and implement a response plan.

According to CIRA: 40 per cent of Canadian companies interviewed experienced a cyber-attack in the last twelve months. Among medium-sized businesses (250-499 employees) this number increases to 66 per cent. Overall, one in ten companies experienced 20 or more attacks during this timeframe.

If you would like more information or to discuss your organization’s cyber-attack response plan, please reach out to us for a confidential consultation.


[1] Claudiu Popa is a leading authority on risk management, personal information protection, data security strategy and author. He is the co-founder of the KnowledgeFlow Foundation, a Canadian non-profit organization with the unique objective of bringing children, families and communities in touch with cybersafety techniques that provide lifelong protection from scams, privacy abuses, online victimization and cybercrime

[2] 2018 CIRA Cybersecurity Survey Report: https://cira.ca/resources/cybersecurity/report/2018-cybersecurity-survey-report

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.