In the final part of our series on preparing for, responding to and recovering from a cyber attack, we look at how your risk, tech and legal teams should handle the post-attack recovery. Read part one to find out how to build up your organisation’s cyber resilience against threats before they occur and part two on what to do in the immediate aftermath of a breach.
Post breach, it’s time to breathe.
You were well prepared for a cyber attack, and when the inevitable happened, were able to respond to the incident in a smart, timely fashion. Congratulations! So, what’s next? While the pace of activity will be less frenetic, there is still work to do to ensure you’re well placed to respond to future incidents.
In our final piece on cyber incident response we cover what to do in the recovery and remediation phase. This is the time to reflect on your organisation’s response and implement fixes to any identified problems with your cyber protection strategy. This involves a post-incident review and incorporating the lessons learned from preparation and response into business-wide, holistic planning.
Here are some specific actions for your risk, tech and legal teams to consider:
Risk management recommendations
- Conduct a post incident review — A review should be performed calmly once the incident response process is complete and operations have resumed post-incident. This should assess the overall management of the incident, include a summary of the root cause(s), what systems or assets were involved, and to what extent it affected your operations. Review and apply lessons learned, both from the incident itself and the response activities. Organisations should also assess whether their Data Breach Response and Business Continuity Plans were adequate and adjust as necessary.
- Perform regular threat and risk assessments — Reference your most recent threat and risk assessment plans to ensure that the root cause of the incident was clearly identified and that no other weaknesses could have contributed to the breach or its impact. Incident trends should be reviewed regularly in case issues are at play that have not yet been considered and remediated.
- Ensure ongoing control testing — Cyber defences must focus on people, process and technology, with the recognition that people are generally the weakest link. Regular training and targeted awareness sessions for different roles in the organisations can play a key role, but can’t be relied upon as a sole line of defence. Over time, all organisations must build out a ‘defence in depth’ capability, and test/assess key controls regularly to ensure they are working as expected.1 Such exercises can proactively identify gaps that when addressed can reduce both the occurrence and impact of cyber security incidents in the future.
- Assess your defences — The post-incident review should identify what worked and what didn’t, and inform you how to protect the business against future threats. Where an incident was a targeted attack, consider what the target was, and if the right protections are in place. What controls failed during the incident, and what enhancements are required to make them effective? If there are deficiencies in certain areas, consider how the organisation, or additional third party products or expertise, could uplift security capability.
- Implement strategic fixes — During the incident, you may have rapidly put in place temporary controls to protect against the threat you faced. For example, you may have disabled a number of administrative accounts, or restricted network connectivity to a set of sensitive systems. Post-incident is the time to evaluate these and consider which of them should continue and which fixes require more strategic solutions. Real life incidents present an opportunity to consider the controls that protect your organisation’s systems and data, and those which were useful in an incident can often be extended more broadly to better protect the organisation.
- Share threat intelligence — Incident response and investigations yield information about the threat actor behind an attack. For instance, the attacker may have used particular techniques to gain access, communicated with a set of servers on the internet, or used a particular type of malware. This information is valuable to other organisations. Knowing about your experience, others will be better placed to detect and prevent similar attacks on their companies. In Australia, the Australian Cyber Security Centre (ACSC) and their Joint Cyber Security Centre (JCSC) program are the go-to forums to share threat intelligence (you can also explore industry-specific forums) and can anonymise you as the source if requested.
- Prepare against ongoing exposure — If there is any lingering risk of ongoing exposure (for example, the threat actor has extracted information but not yet made the information public), make sure you have a clear and detailed response plan in place. This plan should set out how the organisation will deal with situations if publication does occur, allowing for compliance with regulatory assessment obligations and timely notification to impacted individuals. It is also important that you are continually monitoring the situation so you can act quickly if developments occur.
- Expect supplier and customer scrutiny — It’s common to experience an increased level of scrutiny after an attack. Existing customers and suppliers may want to exercise audit rights or seek assurances that you have managed the incident and you have put appropriate measures in place to address future risks. New stakeholders may demand more onerous commitments, including specific cyber security, data protection and privacy compliance. Making your senior leadership and IT teams accessible to concerned parties, and having a robust breach prevention and breach response in place, will demonstrate you are well prepared and engender confidence. You can also obtain an independent audit of your cyber security measures and/or a certification of compliance with leading cyber security industry standards (e.g. NIST/ISO 27001).
- Assess third party cyber performance — Review the performance of any cyber security or managed security service providers (both prior to and during the incident). Assess whether they have caused or contributed to any security vulnerabilities or issues with your breach response. These roles are often outsourced (to some extent) and their performance will be perceived as yours, despite the terms of your contract. Insurers may also want to review these contracts, or scrutinise these arrangements, if you have cyber security insurance in place. Given the rapidly evolving cyber threat environment and the pace of developments in the cyber security space, it is worth considering shorter term engagements or ensuring your longer term engagements give you appropriate rights of recourse and ensure you’re receiving the best protection.
Cyber attacks are increasingly a fact of life for business in today’s digital world, and they can be stressful and potentially damaging to business. We hope you’ve found our three-part series on how a business can prepare, respond and recover from a cyber incident useful. There are many things you can (and should) do to manage these risks, reduce their severity and ensure you ‘bounce back’ if a cyber attack occurs.
If these articles have raised questions around your business’ readiness and resilience when it comes to today’s threat environment, visit PwC Australia’s cyber security page for further information and details to get in contact with us.
Also contributing to this article:
Andrew Morrison, Senior Associate, Financial Advisory – Legal, PwC Australia
James Patto, Director, Financial Advisory – Legal, PwC Australia
David Stocks, Senior Manager, Consulting – Digital Transformation, PwC Australia
Helen Teixeira, Senior Manager, Assurance – Trust & Risk, PwC Australia