It’s 4:30pm and you’re in the middle of a meeting when you’re interrupted by one of your technical architects. They want to let you know that they think there’s been a security breach so could you come down and help them check it out please? Before you can make your excuses however, they’re back in the room to say, “forget think, we know there’s been a breach.”
Your first thoughts are likely to be unprintable here so let’s just say it would be unusual not to feel an immediate surge of adrenaline coupled with a list of questions and expletives fighting for attention in your head. That, and the rest of the board looking at you for answers. Now.
Given that a cyber attack is not an ‘if’ but a ‘when’ for all organisations, the scenario that we’ve described should be one that every CISO is prepared for – and that every board is invested in. But with attacks ranging from employees accidentally opening phishing emails to targeted ransomware, what’s the best way to prepare?
What is the golden hour?
In policing, the concept of the golden hour is used to describe the time immediately following a crime being committed. Positive action taken during the golden hour gives officers the best possible opportunity of managing a situation and gathering evidence that will lead to an eventual prosecution.
Of course, the golden hour doesn’t have to be restricted to 60 minutes but what it does do is focus the mind (calling it a ‘Golden-Three-to-Four-Hours’ doesn’t have quite the same ring to it). It also helps an organisation to remember that what it’s dealing with is a crime and that the response should be just as rapid and focused as if a physical attack had taken place.
With the concept of a positive window of opportunity for action established, the CISO and their team can set an expectation with the business that whilst a cyber attack is an unwelcome experience, there is a plan that will roll into action the moment an incident is detected.
The importance of structure
The College of Policing sets out its golden hour considerations in a simple table that embraces a range of people, responsibilities and actions. What stands out about the presentation of the information is that whilst there will be detailed procedures, sector-specific technology, and discrete skills and roles involved, the overall spirit of what’s required is expressed in a way that is immediately understandable.
This approach can be rapidly and simply adopted by any size of organisation in any sector. Some of the headlines are specific to policing, but it does offer a way to demonstrate the importance of organisations having an agreed and shared set of considerations.
Ask yourself some questions
To set your structure, you need to ask questions of your organisation. If we take the policing golden hour considerations as a guideline, these questions might include:
· Who will a breach impact?
· What will the impact be? Loss of revenue? Theft of data? Damage to reputation?
· How will we record what has happened?
· What can we capture via our existing technology and what needs to be captured manually?
· How and when will we inform our customers / partners / shareholders about what has happened?
· What can we discover from our event log?
· What other internal and external sources of intelligence do we have?
Lines of responsibility
· Who is ultimately responsible?
· What are the individual responsibilities of each member of the business?
· What are the lines of communication and how can we check that everyone understands them?
Rehearse for the worst
With fire drills standard in all public buildings and compliance training often centred around real-life scenarios, it makes sense for organisations to take the same approach to cyber incidents. At a basic level this could involve a simulation whereby members of the immediate security team rehearse their actions, or it might involve the entire company. Whilst this could disrupt business for an hour, a well-prepared team will save an organisation significant time and money in the event of a real cyber attack. There is also the added benefit of being able to uncover and rectify process errors or knowledge gaps in a safe environment.
For organisations that want to enjoy a more comprehensive and immersive experience, IBM is doing some exceptional work with its Cyber Range – a facility where security teams can test their skills in responding to a variety of simulated cyber attacks. We’ll be sharing some exciting opportunities for UK organisations to access the Cyber Range later in the series.
Look for opportunities to learn
Whilst the number of records stolen, or size of the ransom demanded makes for great headlines, the more interesting reading is to be found in the reporting of how an organisation responds to an attack. Take the case of Uber whose leadership paid a ransom of $100,000 to hackers that stole data related to 57 million individuals. Uber’s hope was that the hackers would delete the data and not tell anybody what had happened. Outside of the fact that new CEO Dara Khosrowshahi inherited yet another unpalatable issue to address, the incident was a reminder (if you needed one) that hackers don’t care about the reputation of your business.
Conversely, if we look to Maersk CEO Soren Skou, we find a more salutary tale. He was new into role (although 30+ years with the business) when the organisation was hit with NotPetya malware, bringing IT infrastructure to a grinding halt and eventually costing the business c.$300m in lost revenue. In an interview with the FT.com, Soren described how he felt unprepared for the task that faced him, but took three decisive steps that serve as a good learning opportunity for other business leaders:
1. Get deep in – Soren participated in all crisis calls and meetings.
2. Focus on internal and external communication – daily updates were sent out to everyone impacted.
3. Put customers first – staff were told, “Do what you think is right to serve the customer. Don’t wait for the HQ, we’ll accept the cost”.
There is lots to learn from the Maersk example – the value of strong leadership, the importance of being honest with customers and shareholders, and the benefits of empowering your employees. For Soren, he said that the experience will change the way in which Maersk approaches its risk management exercises. For us, it highlights the value in being clear and accountable in times of crisis – and the possibility of a positive arising from a negative experience.
Be your own best warning system
It’s not within a cyber criminal’s nature to issue a warning before launching an attack, but it is within your power to predict when you’re going to need to put your golden hour process into play. Here’s our top three tips:
1. Be process-orientated – technology is important, but it will not fix an issue that’s rooted in poorly understood or incomplete processes.
2. Implement active monitoring – alongside your technological investments, you also want people patrolling your network who understand the context of your business and what threats exist.
3. Create a culture of awareness – cyber security shouldn’t be top-down or bottom-up, it should be an organisation-wide responsibility
It’s now 5:30pm. Whether the entire business is running around like headless chickens or you’re overseeing a controlled response comes down to whether you’ve got the right people and processes in place. If you haven’t yet embraced the golden hour, perhaps now’s the time.
‘Cyber Security – The Golden Hour’ is the first in a series of articles designed to encourage debate and action in organisations who want to take a positive approach to cyber security. Our recommendations are based on the experiences of our customers, the knowledge of our cyber security team and analyst insights. To discuss any aspect of this article, please comment below and we’ll get in touch, or contact our Security Solutions Architect, Iain Marsh, at email@example.com.
Cyber Security Sales Lead at SCC