Our Views:
This month’s theme is “Staying calm in a cyber crisis”.
It is hard to remain calm when a crisis descends. Physically your body responds with hormonal and physiological changes as if it is under threat. These changes are designed to help you act quickly by increasing your heart rate and oxygen flow to your muscles, sharpening your hearing, making you sweat and dropping your perception of pain. All actions that are intended to support a “fight or flight” response.
Whilst the stress hormones released under pressure are great if you need to run fast from a dangerous situation, they are not so relevant when facing a modern-day cyber incident. Cortisol and Adrenaline slow our thought processes and hinder our ability to analyse complex information. Making the critical decisions required to respond effectively to a cyber incident becomes more challenging and it is important to understand that fight, flight, and sometimes freeze are automatic responses to perceived danger and controlling these is extremely difficult. A fox and a cat discuss their strategies for evading hunting dogs in a well-known Aesop’s fable. The fox boasts of many techniques, whereas the cat confesses to only having one option. When the hunting dogs arrive, the cat runs up a tree whereas the fox is overcome by choice and freezes before being caught. This tale highlights that when responding to a crisis having a plan works. The cat clearly knows what to do when disaster hits, follows the plan and responds quickly and without hesitation for a successful outcome.
In a cyber incident, having a tested Cyber Incident Response (IR) plan is vital. An IR plan outlines clear overarching measures an organisation should take to reduce the impact of any breach. Having a documented plan prevents “knee-jerk” actions, protects a business’s assets in order of criticality and expedites detection, mitigation, remediation and recovery actions. It also reduces the number of decisions a responder must make ensuring that “analysis paralysis” or the fate of the fox in Aesop’s fable is avoided. Another key tool that supports an overarching IR Plan is the development of specific playbooks. Being prepared to respond to a cyber incident involves thinking through the potential cyber threats specific to your business and developing a detailed game plan for each of these. We recommend that New Zealand organisations should adopt playbooks (either templated or tailored) for Business Email Compromise, Ransomware, and Privacy Breach threats, as a minimum.
Effective teamwork and communication are also critical factors for a successful response strategy. All team members should be aware of their individual responsibilities during a crisis and everyone must work together towards a common goal. Events move fast during a cyber crisis and often a response to a large incident may run over days and weeks. The members that make up the crisis team may change to allow rest and recuperation, noting that changes to team members poses its own unique challenges when maintaining clear communication and ensuring everyone is up to date.
To maintain consistency, we recommend setting up an electronic IR control room well before it is needed, to facilitate any crisis. A Kanban board can be used that follows the IR plan and playbooks, capturing updates, actions and blockers from all participants in real-time, therefore improving situational awareness and facilitating the coordination of effort. With some preparation, electronic tools such as Microsoft Teams can be used to set this up and provide a common operating picture for all major cyber incidents. When everyone feels informed and can see active progress on actions, a greater sense of control is enabled and panic is less likely to set in.
To quote Captain Sullenberger who landed his stricken aircraft on the Hudson river, “a sense of calm is rooted in confidence”. Preparation is the primary way in which to gain the confidence to maintain this calm. In addition to preparing and testing your IR plan, playbooks and control room; you should also identify any skills gaps and gain the required knowledge, which will reduce the risk of making the wrong decisions whilst under pressure. It is important to strongly prioritise actions, break down any problem into manageable chunks and concentrate on the most critical tasks first. Once the first steps are taken, subsequent ones become a little easier. Additionally, use near-misses and small incidents as learning opportunities. Think about what you did well, what you could have done better and whether you reacted fast enough and had the necessary skills. Participating in cyber tabletop exercises is another structured way to test yourself and allow your skills to be sharpened in a safe environment.
You can maintain realistic optimism during a cyber crisis by being fully aware of the risks posed by a cyber incident and simultaneously confident that your skills, knowledge and the team around you will be able to address these risks. Delegate tasks appropriately, ask for help and take care of yourself to ensure you are optimally prepared to act. Maintaining calm during a cyber incident can be achieved with preparation, practice, and support.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 