The cyberattack has come, and your company fended it off. You battened down the hatches, patched software, reported incident details through the proper channels, warned employees to heighten their vigilance. And now there is โฆ silence.
Do you give the all-clear and go back to business as usual? Not right away, experts say.
โKnowing when an incident is done is a surprisingly difficult decision to make, because there are natural lulls and waves within incidents themselves,โ said Tim Wilkinson, Rolls-Royceโs global head of cybersecurity operations. โWeโve had nation-state groups which were working on a two-month cycle for some reason that we couldnโt work out. Every two months, they came back and attacked us for a couple of weeks and then went off. Weโve had cyber-crime groups which were working on a weekly cycle, so every Wednesday we got bombarded with phishing emails.โ
It would be easier to declare an incident over if there were a checkered flag waved, or better yet a surrender flag, when the cyber gang decided to move on from your organization to a new target. Instead, Wilkinson said, each organization must make its own decision to declare that a crisis has been resolved.
Because there is no obvious endpoint, Wilkinson said companies should recognize they are at a potentially valuable crossroads.
โWhat you tend to finish with is a bit of tension within the team. Some may want to keep going forever, because itโs a great opportunity to mend things and protect things. Others are ready to disband the incident response team because itโs expensive and time consuming,โ he said.
Some savvy advice: Recognize this opportunity that exists at the resolution of an attack to make investments in cybersecurity. Because at the end of a crisis you will still have everyoneโs attention.
โYou have to make the best use of the first 30 days after an incident, when everyone is still thinking about how cyberattacks can put the business at risk,โ Wilkinson said. โThe focus will inevitably shift to other priorities at some point, so there is only a small window in which to make a pitch to invest in necessary cyber protections.โ
Some other post-intrusion advice: Communicate with your suppliers and vendors about the attack. Review and revise your cyber response plan with insight gained from the experience. What worked? What failed? What can you add to your reaction next time? And provide an appropriate warning to your suppliers and vendors, sharing best practices so they can improve their defenses.
Constant vigilance is required.
โThere is a real threat out there, so do as much as you can upfront,โ Wilkinson said in summation. โWeโre not saying here you have to create reams of shelfware and write โWar and Peace.โ But do the basics. Itโs in everyoneโs best interest to ensure we have a healthy and well-protected supply chain.โ
This article is part of a series on incident response MxD is doing with its memberย Rolls-Royce. Check out the previous Cyber Incident Insights articles here:ย What to Do Before Youโre Cyber-Attacked & What to Do When the Hackers Attack
For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.
