Rebuilding after a cyber attack

We talk a lot about handling the initial car crash of a breach. What to do first, the comms that need to go out and the reporting to regulators. This all happens within the first few hours or days of a breach being discovered.

What about after that?

Last week I ran several cyber crisis exercises. The CMTs (Crisis Management Teams) for both companies were excellent at handling the initial fallout of the breach, containment and emergency comms. Where people so often struggle is what happens after that. Let’s say you’ve “weathered” the storm. You have control back and have ensured the attackers are no longer in your network.

That’s not where the work ends for the CMT.

In fact the next stage is by far more challenging. The CMT form the strategic team in a crisis.

After that initial response we have to consider questions such as:

How do they prioritise what systems and services to bring back online first?

What dependencies are there and how do you explain that to them?

Are there certain clients that have to be prioritised over others?

It’s easy to say “bring everything back. We need it all” but in what order? No company has infinite resources. One thing a crisis always highlights is we need more money and more resourcing. Every decision we make will have a consequence on something else. If you don’t map this out in advance you can end up in a sticky situation.

Priorities can be worked out ahead of an incident. So many difficult discussions and decisions can be predicted and planned for. This makes your decision making faster and more accurate. Plan these things before you need them. Help your CMT practice the plans and be in a better position should the worst occur!

Related Posts

Wargaming, Cyber Attacks and Astronaut thinking

Wargaming, Cyber Attacks and Astronaut thinking

CEO Digital Show This week Lisa was on the CEO Digital show discussing Wargaming, Cyberattacks, Protecting Against Romance Fraud, & ‘Astronaut Thinking’ in Leadership. Key points (according to the podcast) We heard about Lisa’s experience coming into a...

Why Run a Cyber Exercise?

Why Run a Cyber Exercise?

Your company could have the most detailed response plans in the world but if they have not been tested they may well be useless when they are most needed. A cyber security incident is not a good time for seeing if your plans actually work.

Maersk Incident Response

Maersk Incident Response

Fire drills are commonplace. We test the alarms, the evacuation procedures and the fire marshals get to practice their roles. In a cyber attack there can be just as much chaos as with a fire, perhaps even more so. This is why incident response is such an important...