Maksim Kabakou - Fotolia

Cyber companies need a best practice approach to major incidents.

The Computer Weekly Security Think Tank panel considers incident response in the wake of the July CrowdStrike incident, sharing their views on what CrowdStrike got wrong, what it did right, and next steps

Cyber security companies have made global headlines recently with a series of significant incidents which caused widespread disruption. The CrowdStrike incident is estimated to have cost Fortune 500 companies as much as $5.4bn, according to Parametrix analysis. The Okta data breach and Ivanti Virtual Private Network (VPN) vulnerabilities raise similar concerns about the impact cyber security incidents can have at a global scale.

Cyber security professionals and organisations are under significant pressure with a rapidly evolving threat landscape, increased threats from nation state sponsored actors, the offensive role AI can play in cyber-attacks and the increased availability of cyber exploit kits. Part of the challenge is that the everyday detection and prevention of cyber-attacks does not make headlines but does contribute significantly to the performance and resilience of customers and the global economy.

To address these challenges, cyber security companies need a best practice approach to major incidents. 

Engage PR specialists to protect reputation and maintain trust

Public relations organisations specialise in managing communications to the media, stakeholders, and the public during a crisis. They are well placed to develop a crisis communications plan, working closely with cyber incident management experts, to ensure the cyber security organisation is prepared for a variety of eventualities. Management of communications across a wide range of channels further complicates the situation, with social media and other digital channels often voicing speculative views or even misinformation on the causes of an incident. Setting up a dedicated communication channel ensures there is a trusted source of information during the crisis. The speed and accuracy of communications during the incident is critical to maintain trust and help to protect the organisations’ reputation.

As a pro-active measure, PR specialists can highlight the positive contributions made by the cyber security organisation, demonstrating the number of attacks prevented and mitigated. More widely, as a profession, we do need to communicate the positive benefits cyber professionals and cyber tools bring to the global economy. Reliance on complex cyber security terminology and acronyms can confuse the messaging. There is a need to provide tailored messaging to different audiences such as the general public, senior executives, specialist press and news media. 

Develop business models to include insurance and compensation

The increasing complexity of cyber defences does mean that incidents will occur, either through human error, the discovery of new vulnerabilities in software or a multitude of other factors. Cyber security organisations need to consider business models to give customers confidence that if the worse does happen, there is some form of recompense. Cyber insurance can cover the costs of business interruption, forensic investigations and costs of notifying parties impacted by a data breach. Offering cyber insurance gives customers the option to buy additional services beyond the standard product.

Alternative models could include service credits or free-usage periods to compensate for losses. These are, however, unlikely to provide enough recompense for a high impact outage. Inappropriate levels of compensation can result in further brand and reputational damage.

Innovative lines of defence

Many cyber incidents have a root cause of human error. According to the World Economic Forum, “95% of cybersecurity issues can be traced to human error, and insider threats (intentional or accidental) represent 43% of all breaches”. High risk tasks and changes in cyber security systems are often subject to some form of dual control or secondary level assessment to help mitigate the risk of human error.

The rapid developments in AI technology mean that agents can be developed to identify potential human errors, check compliance against organisational polices and flag errors in configuration changes made to software or cloud platforms. 

Digital Twins have a role in modelling the potential impacts of cyber incidents. Whilst a risk assessment can often highlight the immediate impacts, the complex web of dependencies and cascading of risks requires more sophisticated tooling to model the potential impact on clients and entire sectors. The use of data from past attacks and outages drives further realism into the modelling. This strategy becomes even more essential when a cyber security organisation is dominant in the market. 

The modelling is likely to drive the need for further mitigations such as staged deployments of software, sandbox environments for pre-production testing, partitioning and segmentation of networks, users, and systems to avoid large scale global impacts.
 
There is a need for cyber security organisations to take the lead in running incident response exercises with major clients in specific industry sectors. A collaborative approach to exercising crisis and incident management plans will expose gaps and highlight opportunities to improve the speed of response. 

By prioritising best practices for crisis management in a hyper-connected world, cyber security organisations can minimise reputational damage from incidents and sustain trust in their solutions. Without this approach, there is a risk that all the positive benefits to the global economy from cyber security organisations are lost in a stream of negative headlines.

Andy Bridden and Ashley Barker are cyber security experts at PA Consulting.

Read more on Business continuity planning

CIO
Security
Networking
Data Center
Data Management
Close