Incident Response
In this month’s post, Matt Palmer of Jersey Cyber Security Centre talks about reducing the personal impact of managing a cyber incident.
There’s lots of documentation out there to help with cyber security incident response, but sometimes it’s not what you do that matters, but how – and how ready you are to do it. At this month’s CIISF seminar on incident management, both Dave Cartwright and I spoke about the aspects of incident management that you can’t get from a policy, playbook, process or checklist.
If you’ve not personally dealt with a major crisis, one of the hardest things to understand is how a crisis feels. And whether you have had your own crisis to deal with or not, one of the hardest things to appreciate is how much control you do have over that experience and therefore the outcomes.
This week, a local organisation that that had recently suffered a ransomware attack came to talk to us. It was hard to hear, because the story they told was one of personal trauma and challenge.
When their business was attacked, the first thing they saw was unusual systems behaviour. They called in their IT team, thinking this would be a routine issue and easily resolved. It was the mention of the word ‘ransomware’ that rang alarm bells.
Ransomware was confirmed and they called their insurance company who were able to connect them with a specialist incident response and forensics provider.
However, the experience of waiting for the experts and wondering if you are doing the everything you should or not, all whilst watching the business or organisation you have build collapsing around you, is not a fun one.
And two things would have helped.
One would be having someone by their side for friendly advice, support and encouragement, and to sense-check the actions being take and provide another point of view if needed. Just having an expert to talk to – someone local, who can pop round or whom you know – can provide a lot of confidence and peace of mind. And with that support comes the mental space and clarity to make good decisions.
Secondly, everything is easier when you have been there before. In that way first cyber security incidents are the same as a first step, first tax return, first job interview or a first kiss - indeed anything else often approached with a degree of rational trepidation. Some things you just can’t practice for, but cyber incidents you can. Though awareness month we ran a series of cyber incident response exercises for everyone to participate in. We ran a further exercise this week at NatWest’s Library Place branch attended by 10 representatives of different local businesses. The great thing about these exercises is the opportunity to work through a real life scenario with others in a trusted and judgement-free environment. It’s also an opportunity to feel some of the tension that comes with a real life incident, but without the personal or business implications.
This is type of support that Jersey Cyber Security Centre is well placed to offer. Local charities can also call upon cyber security help from the Jersey Charitable Skills Pool. We will run more events and if you’d like a heads-up when we do, make sure you are following both JCSC and the CIISF on social media.
Finally, one of the things that helped the organisation in this case study was having cyber insurance. Insurance is not a panacea and you still need to have effective controls. A great way to start with both is to do a Cyber Essentials or Cyber Essentials Plus certification, which is the minimum baseline recommended by JCSC and a requirement for supplying the UK and Jersey Governments. It also provides £50,000 of cyber insurance cover for free, which would be enough to initiate a response and potentially cover the costs of a smaller incident. Just as importantly however, insurers can help you manage the process and connect you to the right experts at the right time.
If you’ve yet to do CyberEssentials, it’s not too late. You can ask your preferred IT supplier or go direct to one of the four local specialist providers now accredited to certify against CyberEssentials. These are Clarity, Resolution IT, Prosperity 24/7 and CyberTec Security.
