The cyberattack has come, and your company fended it off. You battened down the hatches, patched software, reported incident details through the proper channels, warned employees to heighten their vigilance. And now there is … silence.
Do you give the all-clear and go back to business as usual? Not right away, experts say.
“Knowing when an incident is done is a surprisingly difficult decision to make, because there are natural lulls and waves within incidents themselves,” said Tim Wilkinson, Rolls-Royce’s global head of cybersecurity operations. “We’ve had nation-state groups which were working on a two-month cycle for some reason that we couldn’t work out. Every two months, they came back and attacked us for a couple of weeks and then went off. We’ve had cyber-crime groups which were working on a weekly cycle, so every Wednesday we got bombarded with phishing emails.”
It would be easier to declare an incident over if there were a checkered flag waved, or better yet a surrender flag, when the cyber gang decided to move on from your organization to a new target. Instead, Wilkinson said, each organization must make its own decision to declare that a crisis has been resolved.
Because there is no obvious endpoint, Wilkinson said companies should recognize they are at a potentially valuable crossroads.
“What you tend to finish with is a bit of tension within the team. Some may want to keep going forever, because it’s a great opportunity to mend things and protect things. Others are ready to disband the incident response team because it’s expensive and time consuming,” he said.
Some savvy advice: Recognize this opportunity that exists at the resolution of an attack to make investments in cybersecurity. Because at the end of a crisis you will still have everyone’s attention.
“You have to make the best use of the first 30 days after an incident, when everyone is still thinking about how cyberattacks can put the business at risk,” Wilkinson said. “The focus will inevitably shift to other priorities at some point, so there is only a small window in which to make a pitch to invest in necessary cyber protections.”
Some other post-intrusion advice: Communicate with your suppliers and vendors about the attack. Review and revise your cyber response plan with insight gained from the experience. What worked? What failed? What can you add to your reaction next time? And provide an appropriate warning to your suppliers and vendors, sharing best practices so they can improve their defenses.
Constant vigilance is required.
“There is a real threat out there, so do as much as you can upfront,” Wilkinson said in summation. “We’re not saying here you have to create reams of shelfware and write ‘War and Peace.’ But do the basics. It’s in everyone’s best interest to ensure we have a healthy and well-protected supply chain.”
This article is part of a series on incident response MxD is doing with its member Rolls-Royce. Check out the previous Cyber Incident Insights articles here: What to Do Before You’re Cyber-Attacked & What to Do When the Hackers Attack
For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.