Cyber space is increasingly recognised as the fifth domain of warfare, with rising numbers of attacks by organised crime, hackers and state actors exploiting technological vulnerabilities. Businesses must prioritise cyber security, implementing cyber incident response plans to act swiftly during incidents to minimise damage and regulatory risks.
Our 'data and cyber school' series explores the importance of cyber security and the blockades businesses can put in place to minimise breaches. In this third article, we look at the key steps to consider when responding to a cyber incident, and why businesses should invest in staff training and strong IT systems and infrastructure.
Land, sea, air and space. These were originally the four 'spaces' of warfare. There is however an area that has swiftly become the fifth space of warfare: cyber space.
Increasingly over recent years, attacks coordinated by organised criminal groups, professional hackers, hacktivists and state-sponsored actors have proliferated in the cyber space. Leveraging the rise in remote work and society's dependence on technology, attackers exploit vulnerabilities in cyberspace for commercial, political and financial gain.
Malicious attacks are not the only risk. Incidents resulting from human error and technological issues are just as prevalent – not even Microsoft is immune, as evidenced by the CrowdStrike Update in July 2024 which brought many businesses to a standstill.
With such potential threats looming and the resultant shift in mindset from 'if' to 'when' a cyber-attack or incident will occur, it is more important than ever for businesses to invest time, resource and money into securing and shielding their cyber space. The key to an effective response is to know what your response will be before the cyber-attack or incident occurs. The worst position to be in is hit with a cyber-attack (or fighting a data incident) whilst at the same time trying to piece together the steps required to get the business back on track, comply with laws and regulations and avoid reputational damage.
In this article, we highlight the five key factors when planning for a cyber incident.
1. Make a plan and get everyone on board
In the wake of an incident, there will inevitably be many issues to juggle simultaneously:
- time limits for reporting to regulators, insurers and key stakeholders;
- operational problems impacting the functioning of the business;
- reputational damage; and
- legal issues.
Timing is crucial following any kind of cyber incident. A cyber incident response plan ensures valuable time following an incident is not wasted. It will be tailored to the needs of a business and its stakeholders enabling a business to be proactive rather than reactive. Net result: you will not be working out what needs to be done and who needs to be involved at crisis point.
When putting together a cyber incident response plan, think about what needs to happen in hours, not days. Time is an important weapon to be used against a cyber incident – the earlier you can get on top of it, the more control you have. The plan should include finding out what happened; who needs to be involved and at what stages; what notifications might need to be made and when; and what steps can be taken to ensure there is not a second wave of an attack or incident, which would take advantage of vulnerabilities from the first incident. Effectively anyone in the business should be able to pick up the plan and execute it.
After a cyber incident, audit trails are important, both for internal reporting purposes and for reporting to regulators and keeping stakeholders informed. A cyber incident response plan can be used as a checklist to follow and record exactly what happened and what has been done.
A defensive line is only as strong as the weakest line of the defence – everyone should be on board with proactively protecting the business from attack. Historically, there has been stigma attached to victims of cyber attacks and incidents. Whilst this is changing, businesses must eliminate this stigma as cyber incidents become a common part of our everyday lives.
In addition to ensuring personnel are effectively trained a clear decision-making structure should be available. Not only does this make it clear what different individuals' roles are, but it allows swifter action to be taken, and key decisions and authorisations to be actioned in response to an incident. Decisions made in the wake of an incident are not usually part of day-to-day operations – and there is a real risk of paralysis if planning is not complete.
2. Assemble your team
An incident has occurred, there is a plan in place, and you turn to first steps:
- Engage lawyers;
- Engage IT/forensic specialists;
- Speak to key stakeholders.
Ok – but who exactly are these people? Are they lined up and ready to be contacted in the event of a cyber incident? Whilst it is helpful to identify the above is needed, if you then need to identify and instruct each of these after the event, any time advantage gained by having the cyber incident response plan in place, starts to slip away. Be precise in your cyber incident response plan as to exactly who you will need internally and externally.
Internally ensure there is a clear list of key stakeholders who will need and want to be kept informed of what has happened and what is being done and who will need to make decisions e.g. should a ransom payment be made? (See the next instalment in our 'Data and cyber school' series for more on ransom payments.) The decision-making process should be embedded within the cyber incident response plan Staff should be trained so they know what to do in the event of an incident and who to report to. The IT team should know if they are part of a core team working to establish what has happened; and there should ideally be a core team, with defined responsibilities, actioning the cyber incident response plan A solicitor should form part of your key Cyber Incident Response Team – whether that be in-house or external legal. Engaging legal advisors from the get-go is vital – legal advice will be constructive on decisions such as notification to the Information Commissioner's Office (ICO) and communications with third parties including contractual notices. Your solicitor can also help you to structure your internal communications so as to maximise the chance that they will be covered by legal privilege and so therefore exempt from disclosure in any litigation or regulatory action – although you should be aware that involving a solicitor in and of itself does not mean that your communications will automatically be privileged.
3. Know your strategy
Think ahead and know the answers to the key questions below so that time and cost is saved:
- What is the stance on ransomware payments within the business?
- What are the 'crown jewels' of the business – what can the business not afford to lose? This could include proprietary assets, trade secrets or highly sensitive customer data.
- Are there any cross-border considerations to take into account in the cyber incident response plan or in an incident response?
4. Create your shield
The first line of defence should be up-to-date IT systems and robust back-up solutions.
The cost of such systems and maintenance should be balanced against the risks associated with cyber incidents for the business. Certain areas of business operations should be compartmentalised, so that if one area is compromised, the rest of the system does not fall like dominoes. The same goes for certain categories of data; more sensitive data or data crucial to the operation of the business should be subject to more stringent cyber security protections.
All personnel should be trained on the best security practices and what to be aware of in terms of red flags and suspicious behaviour.
Your cyber incident response plan should be compartmentalised and the subject of greater protection so that in the event of a cyber incident, the risk of it being leaked or obtained by hackers is minimised.
The cyber incident response plan should be provided in hard copy to those in the Cyber Incident Response Team so that it is to hand if systems are inaccessible in the aftermath of an incident.
5. Get insured
... and ensure that your policy covers cyber security incidents. Ideally a policy should cover direct and consequential expenses, which includes the costs of engaging forensic investigators and legal counsel.
Simply having this policy is not enough. The Cyber Incident Response Team should also know what will trigger a policy and what a policy expects in the event of a data incident. For example, the policy may require there to be input from the insurer in respect of key decisions to be made during the cyber incident response. Being unaware of such requirements can slow matters down – and in some cases invalidate the insurance.
Notwithstanding the above, insurance should not be a substitute for ensuring that systems are updated, backed-up and everyone is sufficiently trained on cyber security and resilience. Insurance should be seen as the second line of defence. Ultimately it will only kick in if an incident actually occurs.
Tools to mitigate cyber harm: Gowling WLG's Cyber Incident Response Service
Did you know that Gowling WLG offers a 24/7 cyber incident response service? We provide comprehensive legal support when cyberattacks infiltrate your systems. We help businesses in managing regulatory obligations, cyber crisis management and handling potential litigation. The service advises on incident response planning, breach reporting, data recovery and post-incident support to ensure General Data Protection Regulation (GDPR) compliance and reporting to the Information Commissioner's Office (ICO). For immediate assistance or to discuss cyber security preparedness, please contact Patrick Arben or Amber Strickland. Alternatively, access advice on our Cyber Incident Response line: +44 (0)3300 577 071.
How prepared are you to handle a cyber attack?
As cyber space increasingly establishes itself as the fifth domain of conflict, businesses must recognise the urgent need to bolster their cyber security measures. The threat landscape of today's digital world underscores the necessity for a robust cyber incident response plan. This proactive approach not only prepares organisations to act swiftly in the face of an incident but also minimises damage, regulatory risks and reputational harm.
Gowling WLG's Data Protection & Cyber team brings in-depth experience in advising on cyber space protection and risk mitigation.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.