“This is not a drill!” – Cyber Resilience Debate Series - Day 2
18 Oct 2017
Welcome to the second day of the Cyber Resilience Debate Series. Today’s topic regards a literal interpretation of the phrase ‘companywide adoption’.
“Rehearsing how to respond to a cyber-attack should be a companywide process, like a fire drill”
What do you think? Let us know below!
Once again, just my opinion;
While this works in theory and could be the most sure-fire way to respond quickly to a major cyber incident, it just doesn’t practically work. What would you do? Have everyone shut down their laptops? Theoretically, if there was malware affecting your network, you could shut your servers down and achieve the same outcome. This seems impractical.
It might seem impractical but i believe if all your staff have just the basics in dealing with cyber attack this will come a long way in mitigating the situation if by chance it happens. despite control can be taken from a single point eg shutting down server but it is also prudent to have all your staff know how to deal with it.
The Military always work on Standard Operating Procedures, a set of Immediate Actions (first responses to a change in situation) and then rely on training and good judgement to develop a response that fits the unique circumstances. This is an approach that could help in cyber, by giving anyone and everyone in the organisation the knowledge to deal with a threat. The risk is that actions play into the hands of the attacker, and so I think that there is only limited utility in this approach.
I would suggest that ALL staff should be trained to recognise the signs of an attack, and have an easy and appropriately quick way to report it. The Security team dealing with the report should have a 'playbook' or set of Immediate Actions that they can rely on in any case to give them the breathing room to diagnose the detail of the problem and formulate the most appropriate response, and all of this needs to be regularly exercised and trained. I don't think however that the Fire Drill routine is necessarily the most useful way of going about it. For most staff members regular information and an effective internal communications plan (posters, newsletters and even emails) should suffice, but the team dealing with the organisational response must be drilled to recognise, diagnose and respond to the situation regularly. There are so many potential responses depending on the type of attack, type of attacker and the potential ramifications of the response that there will never be a one-size-fits-all response, but first aid actions could save a lot of damage.
Finally this all only works if staff are trained, empowered to take decisions and trusted to carry out their actions with sufficient delegation. Otherwise the whole system can jam if one person is left as the key decision-maker and for whatever reason is out of contact.