Why cyber incident response is now the responsibility of all business leaders

By Scott Walker, CSIRT Manager, Orange Cyberdefense.

  • 2 months ago Posted in

Any member of a leadership team at a large organisation will understand the importance of risk profiling. It is an essential tool in helping them to consider the changing nature of the range of threats to the financial success of the business.

The process of risk management is constant. Successful leaders rely on their teams to keep them abreast of internal and external developments, and how they may impact both short and long-term organisational strategies.

Market risk, geopolitical risk, supply chain disruptions, regulatory compliance and cyber threats are some of the highest-priority risks impacting the strategies and operations of a wide array of industries today. According to the government’s latest Cyber Security Breaches Survey, 69% of large businesses in the UK identifed a cyberattack or beach in 2023, so business leaders are understandably concerned about cyber risk.

There has been a significant increase in ransomware – or ‘Cyber Extortion’ (Cy-X) – attacks specifically in recent years. These attacks are a type of malicious activity where threat actors attempt to extort money from organisations by typically gaining unauthorised access to sensitive data or networks and then demanding a ransom. Common forms of Cy-X include ransomware attacks and distributed denial of service (DDoS) attacks with ransom demands.

According to our Security Navigator 2024, the past year saw the number of Cy-X victims globally increase by 46%, marking the highest number ever recorded. Large enterprises were the victims in most attacks (40%), with those employing more than 10,000+ people seeing a steady increase. 

In response to the rising number of attacks, governments worldwide are taking more proactive measures. Authorities in various countries have issued official statements condemning threat actors and some have implemented regulations that prohibit companies from paying ransoms. Law enforcement agencies and governments are also gradually gaining ground by disrupting the Cy-X ecosystem in other ways. These include the arrest of criminals, infrastructure takedowns, money seizures, international sanctions, the development of decryptors for victims and ‘hack back’ activities.

Prepare for the worst

As Cy-X attacks increase in volume and severity, it’s no longer a case of ‘if’ you’ll be attacked but ‘when.’ With their business operations, financial stability, and reputation at risk, the pressure is now on for the C-suite to take a bigger and more proactive role in protecting their organisation. 

In recent years I have been part of an elite pan-European team that provides emergency consulting, incident management and technical advice to help customers handle a security incident from initial detection to closure and full recovery. The less prepared a company is for a cyber-crisis, the more serious and difficult the impacts will be. However, despite the well-publicised growing threat of cyber adversaries, I still encounter many firms that have failed to plan for how to respond in the event of an attack. 

The National Institute of Standards and Technology (NIST) provides four phases of an incident response plan: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. Arguably the first phase – preparation – is the most important, ensuring you reduce the risk of occurrence and limit negative impacts. 

We recommend carrying out upstream simulations, enabling teams to determine the emergency and consider the precautionary and/or quarantine measures that they could take at the appropriate time to reduce the impact of a cyber-attack. Simulations can vary in duration and complexity, but the scenarios should be realistic and relevant to engage all stakeholders, highlighting the most probable threats with significant impacts. The exercises test stakeholder knowledge, develop automatism, and enhance communication skills.

Preparation also helps to anticipate the tension that a crisis can cause, whether it is cyber or not. Stress and fatigue are real and sometimes increased tenfold by misunderstanding. During the first few hours, it is often difficult to know exactly what is happening and to identify the source(s) of the attack and its scenario. The ability of employees to keep a cool head, work together and make the right decisions quickly lies in having learned the right moves in advance and being able to apply a simple and effective method.

Another vital consideration, and one which should be practiced, is how your business will continue to operate in the event of a cyber incident. Sometimes this means moving employees to another location and having them work from new computers. Other times, it means switching data from one compromised machine to another. In this case, you need to be certain that the cybercriminal doesn’t have access to it because it’s often the last line of defence. 

Document the process

In addition to pre-event simulations, the incident response process must be well documented and agreed upon by multiple stakeholders from across the organisation. It may sound basic but remember to have hard copies of the plan at hand in case you cannot access your servers during the attack. The plan should include a variety of documents, including:

Trigger matrix: allows for the qualification of an incident according to pre-established criteria. This matrix must be known to the first personnel informed of the incident (supervision, help desk, Security Operation Centre, etc.) as well as to the employees in charge of mobilising the crisis unit with dedicated and tested communication means.

Reflex cards: contain the procedure to follow in case of crisis. Extremely precise, they indicate, step by step, the actions to be taken, in order, according to the scenarios identified during prior audits.

Job descriptions: individual and explain what the role of each member of a crisis unit – from HR or PR – is going to be.

Call trees: the contact details of primary contacts as well as those of their substitutes in the case of an incident.

Legal documents: during a crisis, there are legal documents to be provided to the authorities and insurance companies. 

The above documents must not remain stagnant. Risk management should involve regular reviews of incident response and business continuity policies, as well as annual (at a minimum) simulations to ensure ongoing preparedness.

While historically the Chief Information Security Officer has been the key cyber-risk expert in most organisations, they cannot work in isolation. As the quantity and range of cyber attacks increase, accountability for managing the risk now spans across the leadership team. A culture of cyber resilience needs to be led from the top, ensuring all employees are aware of the risks and the role they must play when the time comes for your business to be targeted.

By Karolis Toleikis, Chief Executive Officer at IPRoyal.
BY Jon Howes, VP and GM of EMEA at Wasabi.
By Brian Trzupek, Senior Vice President, Product, DigiCert.
By James Blake, Global Head of Cyber Resiliency Strategy at Cohesity.
By Scott McKinnon, Chief Security Officer (CSO), UK&I at Palo Alto Networks.
By Richard Connolly, Regional Director for UKI at Infinidat.
By Auke Huistra, Industrial & OT Cyber Security Director, DNV Cyber.