When news came into the Rolls-Royce Security Operations Centre of a cybersecurity incident at a subsidiary, it didn’t take long for Colin Topping and his colleagues to recognize the seriousness of the attack.
“They got hit on a Thursday and were pretty sure they’d be back up and running by Monday,” said Topping, Rolls-Royce’s cyber incident director. “They thought they’d been compromised that week.”
But the reality was far more complex as the threat actor had been attacking this supplier for many weeks prior to any signs of attack becoming visible. This incident required that a Rolls-Royce incident response team travel to the location to address it. The incident was fully investigated and reported through the proper channels.
The supplier, a mid-sized firm that had been purchased by Rolls-Royce, lacked cybersecurity expertise. But when confronted with a crisis, employees there did one thing right: They knew to seek expert help. In their case, they went to the Rolls-Royce Operations Centre, but every company should develop expert relationships to be tapped in case of an emergency.
“Hopefully, if you’re of a size that you don’t have an incident response team, you do have an incident response company that can come and assist you,” Topping said.
Knowing who to call. Anticipating the day hackers might shut down your email system. Having a crisis management response in place, and practicing it. The first step in dealing with a cyberattack that threatens operations is rallying the company into action, and that requires advance planning, experts say.
“I can’t stress this enough: Have a plan in place,” said Tim Wilkinson, Rolls-Royce’s global head of cybersecurity operations. “Think about what you’re going to do. When you are in the middle of a big incident, everything you have needs to be concentrated on managing the incident, not working out how you’re going to do it.”
Wilkinson and Topping said first-response steps include alerting the right people so they can begin to assess the seriousness. The IT person who identifies the problem should know who to contact, and the managers and members of the executive team who will lead the response should all be prepared to join the first conference call.
“You need to work out who’s going to be involved so there are no surprises, and define some very rough responsibilities,” Wilkinson said. “If you’re bringing in third parties, like an incident response company, you need to have arranged all that.”
Once the response is under way, the list of other parties to contact starts to grow. Internally, there may be investor relations and corporate communications representatives to warn. Key customers may need a heads-up. Assuming you have coverage, call your cyber insurance representative because they may have expertise to share.
Then, depending on the situation, a company experiencing a serious cyber incident likely needs to inform regulators and law enforcement. That would include the FBI in the United States.
Contacting customers is also important. “If our supplier has an incident, we’re going to encourage you to let us know because it could impact us,” Topping said.
A ransomware attack could involve sensitive company data, or a compromised email system could lead to phishing attempts directed at employees of other companies.
There’s one other constituency to keep informed: employees. There may be reasons to withhold certain information, especially in the early hours after an attack when there are reasons to keep details confidential. But in general, employees need to understand what’s happening and how to respond. If they don’t know why a certain system isn’t available, they may try workarounds that have unintended consequences.
The key to managing communications during a crisis is to assign certain people to these secondary tasks so the incident response team can focus on Job 1: Defeating the intrusion. So limit the time spent by cyber responders doing briefings.
“They can either fight the attackers or they can write reports and communicate with external parties. They don’t have enough time to do both,” Wilkinson said.
This article is part of a series on incident response MxD is doing with its member Rolls-Royce. Check out the last Cyber Incident Insights article here: What to Do Before You’re Cyber-Attacked
For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.