This year has seen a number of high profile cases of businesses falling victim to cyberattacks, with financial as well as reputational implications. According to government data, 50% of all businesses have experienced some form of cyber security breach or attack in the last 12 months – and with the likelihood of this trend increasing into 2025, preparing for such an event is vital for businesses of all sizes. Yet, the reality is that even with the best prevention strategies in place, there is currently no guaranteed way of avoiding the risk altogether.
In this article, Richard Nelson, senior technical consultant at Probrand, explores what to do in the event of an attack and how to minimise the impact on your business.
Create a robust crisis plan
The first step in preparing for what to do in the event of a cyberattack is to put a clear plan of action together. This should outline different scenarios and make clear who is responsibility for leading the response across your business. When doing this it helps to think like a hacker. In what ways might a cyber criminal try to harm your organisation? How will this impact IT, legal, finance, communications, HR, or other departments? It is likely that most divisions of the organisation will be impacted in some way, and they all need to be aware of the plan and understand their role. It will help if a specific individual within each department is appointed to take the lead and is capable of forming a response team in the event of a threat.
It is important that every person involved in the plan understands the implications of an attack and why these preparations and their involvement is necessary. Getting their buy-in from the beginning will ensure that everyone is aligned and working together when needed. You can help them to take charge in these scenarios be advising them on what they can do to minimise the impact of the attack. These steps should be listed clearly on your crisis management strategy, with the owner of each action and their contact details shared across the crisis response team.
Everybody should be comfortable and familiar with the steps they need to take. So, once the strategy is finalised and approved, it should be rigorously tested. Much like companies run regular fire drills, the crisis management strategy should be trialled and rehearsed so that it becomes second nature in the event of a real attack.
Each person on the strategy should also make sure they have prior approval to conduct any of the actions they might need to take. This may include legal approval, pre-authorised spend caps or written agreement from the CEO that a Chief Information Security Officer (CISO), or similar individual, can take charge if difficult decisions need taking in the event of a threat.
Clear communication is key
At the recent Probrand IT Expo, Jon Staniforth, former CISO at the Royal Mail, spoke about his experience of a ransomware attack. He described the ‘insatiable’ appetite for communications from many different parties at the time of the attack, with everyone requiring information to suit a different agenda. He explained that handling these communications was the most time-consuming element of his role in the early days of the crisis, occupying 50-70% of his focus. Jon went on to create a dedicated communications team to work with the various stakeholders across PR, corporate communications and public affairs throughout the attack, ensuring the right messaging was getting out in a timely manner, without detracting him from his own role.
Knowing what to communicate, when and to whom is vital during a crisis. Yet, in the moment, it can be easy to get this wrong and say too much – or too little. Preparing clear messaging in advance and sticking to approved statements in the event of an attack can help to minimise the impact on your business's reputation. Working with your organisation’s communications team to align on a strategy, as well as investing in any media training to rehearse real-life scenarios can help to create a clear process if and when the time comes.
Remember the importance of wellbeing
Looking after your own wellbeing – and that of your team – can fall to the bottom of the priority list when a crisis hits, but it should be a top priority. Reflecting on his crisis, Jon explained that he was working 20 hour days in the first week of the attack, doing whatever it took to understand the scale and scope of the damage. But this can become unsustainable as the work to repair the damage of an attack can span many weeks and months. To tackle this in the future, Jon suggested he would appoint a dedicated wellbeing officer whose sole responsibility is to care for the physical and mental wellbeing of the team handling the crisis.
It is often in the nature of IT teams to get involved and be curious about major events such as these, and many will volunteer to work through the night to get to the root of the problem. Jon explained that part of his role was sometimes to ask people not to get involved and for the benefit of their own wellbeing ensure they stay in their work streams. Segmenting teams and fixing accountability to specific people for pre-determined tasks can also help to keep the process as efficient as possible.
Handling any kind of crisis is undoubtedly fraught and difficult, but implementing a clear plan in advance and sticking to it in the moment can help to minimise the impact of an attack, not only on the business but on your own wellbeing. If you are currently preparing your IT strategy for 2025, taking some time to prepare for a crisis, and then testing your response at regular intervals, will pay off in the long run.