Many organisations do not have cyber resilience plans in place or where they do, they are outdated or inadequate. That’s a problem because often it’s not the cyberattack that does the damage, it’s how you respond.
“While the breach itself is the initial trigger, how an organisation handles the situation significantly determines the extent of the damage,” explains Claire Wilson, cyber strategy and transformation director at Deloitte.
It’s why organisations need to have a defined plan for when an incident occurs. “A playbook can set an organisation up for effective incident response, minimising financial and reputation damage,” she says.
The first stage in an incident management plan will always be preparation. “This phase establishes the framework in which cyber incidents are handled. It involves ensuring a skilled team is available, conducting regular training, defining a communication strategy and setting up the necessary tools to ensure a quick and co-ordinated response,” she says.
RM Block
A communication plan is vital. “Effective, timely and accurate communications can play a huge part in mitigating the reputational impacts of an incident. Today’s organisations have a multitude of stakeholders – employees, suppliers, customers, regulators. In preparing for an incident, it is vital that the organisation understands the requirements of these stakeholders – who needs to be communicated to and when,” says Wilson.
Once an incident is detected, responders need to contain it and prevent further spread. “The quicker an incident it identified, the quicker this containment can happen,” she points out.
“Containment efforts are often delayed trying to contact the right person – cyberattackers love it when ‘Bob’ logs off for the bank holiday weekend, they know that they are less likely to be detected, and responses will be delayed. Making sure that there are clearly defined communication paths for decision makers and response personnel is critical.”
Once contained, the next stage in the playbook is eradicating the threat from the systems. This means finding and removing harmful software and malware from all systems, fixing the security weaknesses that allowed the attack to occur, and checking there are no ‘back doors’ left by the hackers.
“Once the threat has been fully eradicated, the systems can be restored – this may be from a clean backup or could be a complete rebuild of a server or application. The team will need to carefully monitor any signs of re-compromise or other issues can be detected,” says Wilson.
“An after-incident review also needs to be included to ensure that lessons learned and other opportunities are integrated into the playbook.”
In the event of a cyber breach, an organisation should activate its incident-response plan to assess the breach’s scope and impact, says Leonard McAuliffe, a partner in the cybersecurity practice at PwC Ireland.
“Immediate actions include containing the breach to prevent further damage and notifying internal and external stakeholders, including regulatory bodies, if necessary,” he points out.
“Post-incident, the organisation should conduct a thorough review to learn from the breach, update security procedures and provide security awareness training to help reduce the risk of future cyber incidents.”
Organisations can enhance their cyber resilience by focusing on speed and efficiency in response to incidents.
“Establishing a well-co-ordinated incident-response plan which includes clear roles and responsibilities is crucial. Regularly conduct training and simulate scenarios with your team to ensure preparedness. Invest in tools and technologies that enable quick detection and response to threats and continually assess your infrastructure for vulnerabilities,” he adds.
Collaborate closely with security, risk and legal teams too, to ensure compliance and strategic preparedness. “By fostering a culture of proactive cybersecurity and prioritising stakeholder trust, organisations can minimise disruptions and swiftly return to normal operations,” he explains.
In the event of an incident, effective communication is key. Internally that means informing key stakeholders including management, IT and operations teams, while legal advisers should be notified immediately.
Externally, it is crucial to notify affected customers and regulatory bodies, such as the Data Protection Commission, Central Bank of Ireland or National Cyber Security Centre, both to meet regulatory obligations and uphold transparency.
“While it may seem tempting to keep incidents under wraps, transparency is critical to avoiding reputational damage and potential legal consequences. An open and honest communication strategy not only builds trust but also aligns with regulatory expectations,” he points out.
Right now, cybersecurity has never been more relevant, says Jack Godley, cybersecurity review grant (CSRG) project manager at Enterprise Ireland.
“Its importance is growing exponentially as year-on-year there are harmful agents being emboldened with new technologies. A company cannot afford to be reactive when it comes to digital risk, that is why a proactive approach to all facets of digital security is the best practice,” he says.
While one can never be fully prepared for a cyberattack, “the cyber journey which precedes the hack will dictate the response,” he adds.
How you react to a cybersecurity breach should have been determined well in advance.
“Identifying the weak point in your systems, the data affected, who needs to be made aware, how you inform them, and how to rebuild trust are all problems which require consideration, and there isn’t any time to consider after a breach. Speed up your response time by planning for these issues now,” he advises.
“The CSRG will help identify your cybersecurity strengths and weaknesses, help you formulate a digital security journey, and allow for a mindset shift towards cyber vigilance and resilience. While one bad breach may cost you your business, understanding the evolving threats and landscape will allow any company to navigate safely.”
