What comes next | KPMG | CA
close
Share with your friends
collection of dots forming a shape

What comes next

What comes next

You have firewalled off the network and encrypted the data. You have delivered the training and analyzed the threats. Now that your organization has taken measures to prevent a cyber incursion, how will it respond when a virtual disaster strikes?

And they will strike. Despite an organization's best-laid plans, cyber attacks happen. No security plans are 100 percent effective; so just as organizations need to embed preventative measures, they must also give thought to the specific actions they will take following a digital incursion.

To be fair, reaching an optimal balance between securing one's systems and designing an iron-clad incident response program can be a challenge. That's where securing the right intelligence, industry partnerships, and an informed post-incident strategy can increase the odds of survival.

The power of threat intelligence

The minutes, hours, and days following a cyber attack are critical. It's in these stressful moments, however, where threat intelligence can bring clarity to chaos and give organizations a head start in their incident response strategy.

What is threat intelligence? It's about having the tools and expertise to identify what makes your organization a target for cyber threat agents, where they are most likely to strike, and what they are most likely to do. With these insights at the ready, organizations can predict threats, determine the best defensive strategies, and react quickly in the aftermath of an event.

6 consideration for effective incident response

​Intelligence is power, but it's nothing without action. When a cyber event strikes there are several things an organization can do to land on its feet.

  • Don't pull the plug: The first reaction many organizations have following a cyber incursion is to shut down affected systems. Resist that temptation. By taking essential systems or equipment offline, organizations not only risk bringing their operations or vital services to a halt, but losing out on the opportunity to assess the full scope of the incursion. Instead of pulling the plug, use this time to isolate the damage, determine the nature of the attack, and assess the extent of the damage.
  • Communicate the incident: Critical decisions will need to be made after a cyber attack, and they will need to be made beyond the confines of your IT department. Business leaders will need to decide whether to pay out for ransomware, legal and compliance will need to plan their responses to the attack, and other departments will need to determine how best to keep business partners and vendors in the loop. Having an incident response communication plan at the ready is critical to ensuring everyone is on the same page and responding as per plan.

Remember that the way in which you communicate during these times will also determine how quickly you will recover and your reputational damage. To that end, be crystal clear in what you know, what you don't know, and what you are doing to resolve the situation.

  • Remember your obligations: Your organization may be beholden to incident reporting guidelines depending on the data it holds and the jurisdiction in which it operates. In Canada, for example, there are Federal privacy regulations that may require you to communicate a breach to both customers and also a privacy commissioner. Data breach notification laws (as seen in the UK) are also on the approach that will soon make it necessary to share full details of an event with all parties.
  • Resolve and assess: The methods of resolving a cyber incident will vary depending on a host of factors (the type of attack, outcome, affected systems, preventative measures, etc.). Once you have taken actions to address the immediate threat, it pays to understand the full scope of the incident and gather intelligence against future incursions. That means assessing the full scope of the attack, determining if it's a symptom of a broader problem, and using lessons learned from this experience to inform better cyber security practices. It also pays to connect with industry peers and cyber security advisors to learn about related incidents, share strategies, and learn how you prevent additional damage or repeat events.
  • Plan your response: Now that the damage is done, what will you do? Contact law enforcement? Launch a formal investigation? Consult a third party? How you remedy the situation will again be influenced by an informed incident response plan and an in-depth knowledge of your options.
  • Reflect and rebuild: It may be that an event was unavoidable. Then again, it may be that your organization had a fatal flaw in its cyber security strategy. Once the dust settles, do the work to re-examine your controls, re-assess what is really worth protecting (aka. your data 'crown jewels'), confirm if you really should be keeping all that data, and re-think your cyber strategy.
     

Sharing information: Industry leaders and public-sector agencies are coming together in defense of cyber attacks. Canada's Communication Security Establishment has a tool that organizations can install to identify malware and share that information with government agencies, who then passes that knowledge along to others. The RCMP has a similar program that collects incident data and shares lessons-learned with critical infrastructure providers. Consider linking to these partners and peers within your industry to share knowledge and build a united front.

Planning for the inevitable​

Imagine waking up the morning after a cyber attack to find your organization has made the front page. Now imagine what you would like that headline to read. Will it be about a company that has been hacked but has a plan in place to mitigate the damage, or one about a company that was caught off guard and is now scattering to form a strategy?

Naturally, you would choose the former; and that requires a strong incident response plan, informed by accurate threat intelligence, and tested consistently by all members of the organization. Herein, conducting regular tabletop exercises, conducting ongoing security control assessments, and learning from past events can keep your incident response plan up-to-date and ready to respond to virtually anything that comes your way.

​After all, disasters can – and will – happen. And it's in those dire moments after a cyber attack where having access to the right partners, resources, and a proven plan of action can clear the way to recovery.