How to handle a cyber attack

In my experience, the only effective way to deal with a cyber attack is with advance planning and preparation.  In particular, establishing Secure Communications.

Secure Communication is vital, and effective communication during any crisis requires situational awareness and experience.

3 critical threads to handle during a cyber attack;

• Secure communications,
• Task prioritisation, and
• Recovery objectives.

Secure Communication

During a cyber attack, being able to rely upon a secure channel for communication outside of the systems which are affected is vital. Keep this channel as simple as possible; for example, emergency mobile phones with a secure messaging app are effective.

Do not expect to rely on any internal systems that have any dependence on internally managed services, this includes WiFi, email, contact lists and system access credentials.

Practice and training to create familiarity with the emergency communications procedures is time well spent and is the single most effective improvement I recommend. Schedule regular drills and actively seek out improvements to response and control protocols.

In summary, a separate and secure communications channel is vital.

Task Prioritisation

Protecting data, determining what happened and preserving evidence are all important elements. Prioritisation requires assessment and is dependent upon many factors including the extent and the nature of the cyber attack.

At the top of my list is to mobilise the incident response team, often a combination of internal staff and external specialists, and their first task should be to secure the systems and start the business continuity programme.

However uncomfortable it might feel; it is critical to share the situation with senior management who will drive the order of priority when presented with dependencies and options.

Before any work commences, a clear plan for recovery must be created, and the recovery team must remain focused on their tasks without distraction.

Recovery Objectives

Before starting any recovery activity, it is vital to clearly understand what has happened.

When an attack re-occurs during a recovery process there is significantly greater risk; I have seen minor systems breaches turn into disasters because no effort was made to determine the root cause of the failure before recovery was started.

An approach that that works well for me is to use a ‘play book’ of planned recovery procedures. ‘Play book’ protocols can be tested and developed without requiring a crisis.

‘When you fail to plan, you are planning to fail.’  Recovering well maintained systems is straightforward, I know because I’ve done it.  Recovering poorly maintained systems is a nightmare, I know because I’ve done this too.

Elements that are often not thought about include actively managing the incident response and recovery teams. Setting clear team objectives should be obvious, as is staying mindful of each member’s personal wellbeing.

If you’re considering how to recover from a cyber attack or how to handle any IT crisis, I recommend starting with an honest discussion – let me know if you’d like me to contribute.

Why choose to work with Sytec?

• We focus on reducing risk
• Our work and checks are separated independent processes
• We consider compliance and security checks as the default
• You will know which engineer has access and when they took action
• You will have phone, email and face to face access to security certified engineers

About Sytec

Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.