On April 20, 2021, Noord hosted a virtual boardroom sponsored by Blackberry in association with Spectris. The event comprised an introduction by Melissa Piner, Group IT Policy, Controls and Compliance Manager, and Anna-Lisa Miller, Group Chief Information Security Officer, who were both representing Spectris. This was followed by a discussion between senior IT professionals on preparing for and executing incident response.
Opening of the session
The session was opened by Anna-Lisa Miller, who explained that the virtual boardroom aimed to share lessons learned from incident response, whether incidents had been managed well or poorly. While some companies have comprehensive documents and approval processes to this end, it is important to get the most out of the preparation and have the agility to apply plans to different scenarios, all while ensuring that employees feel morally supported.
Reasons for attending and key challenges
All attendees were keen to learn from other organisations’ best practice and had a range of expertise, including in compliance, security, and privacy.
In terms of key challenges, there was recognition that the shift in business dynamic in the wake of the Covid-19 pandemic has changed companies’ abilities to respond to incidents, with many reducing the size of physical real estate and increasing their reliance on remote systems.
In particular, one participant noted that the nature of incidents is evolving as we move to cloud-based services, which will require a change in governance. Another was keen to understand how other organisations are navigating the growing need to report breaches to the Information Commissioner’s Office.
Putting people first
Anna-Lisa underscored the importance of looking after staff during incidents – an area that is often overlooked in emergencies. For example, forgetting to drink water and take regular breaks can lead to staff making poor decisions. In the longer term, looking after staff has a bearing on a company’s values and integrity, and a company’s brand is an essential consideration in a crisis. For instance, there are well-known examples reported in the media of organisations attempting to sweep data breaches under the carpet and, in doing so, causing irreparable damage to their reputation.
One participant noted that by successfully controlling the narrative during a data exposure incident, their company had been able to strengthen customer loyalty and increase sales by being fully transparent throughout the situation. The success in managing the incident had been largely down to the combined experience and knowledge of the team, rather than insights from a written process – although the company in question has now developed a playbook.
Implementing effective incident management processes
Melissa Piner picked up on the topic of incident management, noting that Spectris has a separate process for incidents involving personal data which requires the involvement of a Data Protection Officer (DPO).
One participant noted that within their organisation, the whole company is involved at the initial stages of an incident to ascertain what has happened and whether there is an applicable playbook scenario. Subsequently, team members drop off if they are not needed, and the DPO is involved where necessary.
Melissa also noted the importance for organisations to have backup communications systems, understand their legal requirements and obligations, and have a clearly defined process, from threat identification to containment.
One company had cyber insurance and a forensic team on retainer. Another participant had forensic capabilities within their organisation, although noted that the response of this department tended to be rather mechanistic. As a result, there was a need to ensure that the human element is not neglected, as staff members can feel as if they are being blamed or belittled for incidents.
The value of rehearsals
It was stated that rehearsals are valuable in ensuring that the right people have the right information to make the right decisions. That said, there was also recognition that incident preparedness needs to be embedded across the entire organisation to prevent blame culture and enhance resilience.
Sharing lessons learned internally
As one participant put it, ‘you are only as strong as your weakest link’. In this context, it was noted that within global corporations, some regional offices rely on the capabilities of other offices to identify breaches. However, while sharing knowledge across regions is beneficial, it can be difficult to follow up on whether less cyber resilient regional offices have made the changes suggested to them.
Sharing lessons learned across the industry
Anna-Lisa noted that it can be difficult for companies to know when and how much to share with others during an incident, as this can sometimes do more harm than good.
It was noted that while people are generally fearful of sharing data across sectors, there was a need for a more joined-up mechanism across the industry, ideally supported by a governing body. Banking was cited as a potential industry to emulate in this respect in light of how banks are transparent in sharing instances of fraud among themselves.
The lack of standardisation across the industry was also mentioned in respect of competing reporting deadlines – with companies often having to comply with third-party contractual obligations and arrangements while managing an incident. In this regard, one participant mentioned the importance of documenting the incident management timeline to have sufficient evidence to present to the regulator, should an organisation’s management of an incident be called into question by a third party.
Building training and awareness
One attendee noted the distinction between reportable and recordable incidents, stating that their organisation did not record ‘near misses’. By way of comparison, another participant noted that recording and analysing minor breaches is important to identify root causes and prevent future incidents. Their organisation gave every breach a score out of 50, depending on the degree of severity, which allowed it to spot patterns and isolate issues of potential concern.
Intrusive cyber simulations
There were mixed feelings about whether intrusive cybersecurity exercises were beneficial. On the one hand, such exercises can give companies a deeper awareness of how in-depth attacks are planned, including from the inside. One participant noted that as a result of physical penetration simulations, their company had been able to gain an insight into the simple yet creative ways that criminals attempt to compromise systems.
On the other hand, it was noted that simulations risk causing irreparable damage by destroying a company’s core systems. One participant felt that simulations are disruptive and merely point out the weak points that a company is likely already aware of. Instead, behaviour management may be more useful in terms of monitoring unusual activity internally. In this respect, internal hacks were seen as inevitable – yet companies still have the power to mitigate the consequences.
Closing of the session
In summing up, Anna-Lisa noted that the adage ‘not if but when’ had become a reality for many companies in the context of cyber incidents. It is therefore essential to educate and empower employees to make the right decisions to develop super cyber resilient organisations.
