Is your business ready to deal with the impact of a cyber-incident? | #cybersecurity | #cyberattack

Despite high-profile attacks on major companies making the headlines, cybersecurity has become a more salient issue for businesses of all sizes.

Recent data from the National Cyber Security Centre (NCSC) revealed that cyberattacks are an evolving threat. Data published last summer found that every 47 seconds, there was a cyber-attack on a UK business.

DIGIT’s annual Scot-Secure event this year discussed topics including the implications of such an attack on your business, as well as ways to combat the short and long-term impact.

An afternoon panel session, headed by Jude McCorry, CEO at the Scottish Business Resilience Centre (SBRC), discussed the potential implications of such an attack, and ways to plan and respond.

Declan Doyle, Head of Ethical Hacking at SBRC, Catriona Garcia-Alis, Senior Associate, CMS and Kirsten Paul, Associate Director & Head of provided insight from the perspective of law enforcement, legal and communications sectors.

McCorry prefixed the discussion by stating: “You will not be critiqued, and you will not be judged if you have a cyber-attack, but what will happen is you will be judged and critiqued on how you’ve handled it.”

Cyber-incident considerations

Doyle opened the panel discussion with a focus on what a business must think about once hit with an attack.

“When you find out that you have had an incident, the first thing that we always advise is take a breath, and be prepared for the long haul, because the worst has happened and things are going to get quite bad,” Doyle said.

“It doesn’t mean it’s the end of the world or anything like that. And there is a lot of support out there, particularly here and Scotland.”

Doyle said that the first thing a company must do is discover the extent of the incident before they can move forward.

“And then once you discover the extent you need to bring in the relevant third parties,” Doyle commented.

He added that it is vital to ensure that if a third party, such as regulators and cyber-insurers, is to become involved, that you communicate that you have suffered an incident – they will be spending a lot of time with you over the next 24 to 48 hours.

Next, plan how to deal with the incident. Doyle recommended assigning key people within your organisation who would be responsible for liaising with the external or third parties.

Doyle moved on to talk about the support available in Scotland. “If you’ve been hit with a cyber incident, in most cases, there’s going to be a crime that’s committed too, so you should be phoning the police on 101,” Doyle said.

“They have resources available and can help you with any sort of recovery. And they may also have extra information that could be useful if you have an incident,” he said.

Doyle continued: “You should hopefully have an incident response plan created, and if not, I would encourage that to be the first thing you do when you leave the conference today.

“It is absolutely vital that you have at least something vague written down so that you can follow that when an incident occurs,” he said.

Doyle concluded by saying that, once you have a plan created, that you must practice it in advance of an attack. “You don’t want the first time you actually go through the plan to be when you’re hit with a real incident,” he concluded.

The legal considerations of cyber-incidents

Catriona Garcia-Alis then continued the discussion by talking about the legal implications and risks arising from a cyber-incident.

She highlighted the importance of a risk management strategy, which gives business leaders a chance to “work out what holes you’ve got in your handling capabilities in advance of an event”.

In terms of the legal considerations, she began her talk around regulatory modification obligations that arise from a cyber incident.

“First of all, consider what regulators your business owes obligations to – making sure that they are factored into your response plan,” Garcia-Alis said.

She added that knowing who to report incidents to and when you must report them is vital, to mitigate your risk of regulatory fines and penalties, but also to clarify and identify important information that you’re going to need to have for other urgent communications.

The main regulatory obligation that must be considered, in the case of a data breach, are the GDPR implications. UK GDPR applies to all organisations who are providing goods and services in the UK.

“First, you need to work out if you do have a personal data breach, and that’s defined as a breach of security, leading to the accidental or unlawful destruction loss alteration, unauthorised disclosure or access to personal data,” she said.

“There’s an obligation to notify the ICO within 72 hours of becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons,” Garcia-Alis added.

Additionally, if a personal data breach may result in a high risk of adversely affecting the rights and freedoms of an actual person, data subjects will also need to be notified of the breach.

Reputation management and crisis comms

Kirsten Paul began by noting the value of a positive reputation when you’re in the “eye of the storm,” and going from any stage of a crisis, “cyber or otherwise”.

She commented that it is important not to lose control, because when you lose control, “that’s when things can go wrong”.

The language around the breach and the way that you continue to run your organisation is very important, Paul noted.

“Running of the organisation, how you speak to prospects; how you speak to your customers; how you speak to your employees. Maintaining that management when going into a level of incident like this will stand you in good stead because you’ve already laid the groundwork on how individuals think about you and how the media think about you,” Paul commented.

She continued that a firm would be unlikely to see a slowdown in cyber incidents playing out. This means that how you deal with the incident, and the quality of the cyber response plans that you have in place, is what is going to make sure you successfully deal with a crisis.

You can split how an incident is dealt withy into three areas, Paul said: before, during and after. She adds that there is a tendency to discuss the preparations for a future attack, but it is just as important to consider the after.

Not only is suffering an attack potentially damaging, from a reputational perspective, but dealing with it incorrectly could be “devastating” for an organisation.


“So, what do the media want? They want an apology first and foremost,” Paul stated. “They want you to explain, own it, apologise, fix it, and move on. If the corporate apology isn’t forthcoming, that is what becomes the story.”

The media are also looking for a ‘figurehead’; someone to take control and explain the problem concisely. This would tend to be the CEO of the organisation.

“They [the media] also want a quick response. Speculation completely fills a vacuum,” Paul continued. “It makes life much harder for you to rectify the reputational damage.”

She continued: “Even if you don’t have the answer straightaway – during a cyber incident it will take some time for you to understand what’s happening – you need to come to the fore with what you know now.”

In terms of what happens next, Paul said that the ‘post-mortem’ of the incident is vital. Looking more deeply at how you dealt with incident, whether your information was correct, the tone you used, and the clarity of your conduct are all important parts of the communications process.

Lastly, Paul said, once all of this has taken place, the next stage is to remedy the situation.

“It’s important to get back up and running again so that you can continue rebuilding your reputation,” she added.

Original Source link

Leave a Reply

Your email address will not be published.

93 − = eighty six