The critical 48 hours after a cyber attack

Peter Cheney is director of cyber security at Control Risks

A range of social, political, cultural and economic factors drives cyber attacks. How well banking and financial institutions understand the drivers for an attack and how effectively they respond in the 48 hours following the discovery of an attack has a major effect on the resultant impact, writes Peter Cheney.

The response to a cyber attack depends on the type of breach and how it is discovered. Most financial institutions are well-versed in the process of detection. The majority of them have also adopted preventative measures to minimize access to their “crown jewels” as well as protecting and monitoring all other aspects of the corporate network. However, breaches do still occur and many advanced attackers, from criminals to nation states, are often present within corporate networks for months before they are detected.

Financial institutions that have prepared a detailed response plan for the inevitable event of an attack will be best placed to mitigate its impact. There are three main questions they will need to answer within the first 48 hours:

1. What is the specific nature of the breach? When a breach is suspected, key questions include: What has been taken? When did the breach happen? How was it achieved? Is it still ongoing? What is the scope of the attack and what needs to be fixed? These are largely technical forensics questions. The IT team (or a third party specialist) needs to establish the key facts of the breach. The more information crisis managers have about the situation, the more apparent it will be how to deal with it. The public, the media and customers may be forgiving if the breach resulted from a new and unforeseen piece of malware. They will be less forgiving if the issue continues or happens again, or if the institution was attacked by well-known malware. Regulators across many jurisdictions will also take a dim view of institutions failing to protect against known risks. 

1. Is there a human element to the breach? Computers don’t attack computers. It is vital to establish early on who the likely perpetrators are and their likely motives. In the financial sector criminals are most commonly involved but this is not always the case – nation states may be looking to disrupt operations or competitors may be attempting to access sensitive market information. Sometimes it is an insider attack, perhaps by an individual or even an entire team that is in place or has recently left the organisation for a rival. 

Only by getting to the bottom of the context for an attack, will organisations be able to respond effectively. Perhaps M&A activity is prompting the attack or is it just opportunistic? Cyber threat analysts will need to work alongside investigators looking at intelligence on the people behind the attack.

1. How can we minimise the damage of an attack? The speed of the reaction to an attack or suspected attack is vital to contain the incident. Financial institutions need to demonstrate clearly that they are in control of the situation and are handling it, while keeping stakeholders appropriately informed. Otherwise, the danger is that someone else, such as the regulators, will step in and handle the crisis on their behalf. Organisations need to keep their hands firmly on the steering wheel even as others clutch for it as well. 

A high-level crisis team should be involved from the outset to handle the incident. This is not just an issue of business continuity and keeping IT systems running. It is much more than that – it is about effective management of a crisis that could seriously damage the organisation and threaten the operational future of the bank itself. A small central hub of business decision makers that makes up the crisis team should assess what action needs to be taken and lead on the response across the institution. This crisis team will work with a set of subsidiary teams, including an IT team, investigators, a communications team, and those handling customer relations.

Depending on the nature of the incident, the attack may already be in the public domain and, therefore, the organisation will inevitably be playing catch-up and crisis management faces its greatest challenge. In this case the communications team may take a more immediate and central role in fire-fighting the incident. However, no matter what the details, the crisis team will always need to manage the subsidiary teams. It is likely that one or another of these will expect to take ownership of the situation, but it is vital to ensure that commercial decision makers lead crisis management.

Cyber-attacks are unavoidable. A high-level crisis management team should be kept abreast of developing trends and threats in the cyber world and be on stand-by for a response to a cyber-attack. Then, faced with an attack, institutions that have planned ahead will respond quickly and effectively and will be best placed to keep their organisations running and their breach out of the headlines.