How to survive a major cyber incident

Dan Simms
May 17, 2019 9:21 AM

Before WannaCry and NotPetya, most organisations didn't think they could ever find themselves in a position where they could lose everything. 

WannaCry and NotPetya changed all that - imagine for a moment how you would feel if all your desktop, laptop computers and all your servers were wiped by malware?

Imagine if that included your authentication system and your backup server. Moreover, imagine how you would feel when you try and rebuild your backup server (to allow you to restore your data), only to find that you can’t as it needs a working authentication system. The classic chicken and egg.

Pretty scary, however, what’s even more frightening is that this isn’t a story created by someone wanting to increase their disaster recovery budget. This is the reality that several organisations found themselves in, in 2017.

So how do you recover from this? The best advice can be taken from the front cover of the Hitchhikers Guide to the Galaxy ‘Don’t panic’.

Here are some things to consider if you find yourself in this situation:

1. Set expectations

Major cyber incidents take time and money to recover from. Usually this means a number of days (and in some cases months) without access to some line of business applications.

2. Use your disaster recovery systems

Bring online any business continuity/disaster recovery systems that you have available to you, to help people communicate and continue to work throughout the incident.

3. Establish what happened

Was this ransomware or do you suspect data theft? Sometimes data theft is hidden behind ransomware. This will help you understand whether you need to report the incident under GDPR.

4. Establish a safe way to recover your systems

For some businesses, this might mean restoring systems to a different environment such as Microsoft Azure or Amazon AWE.

5. Choose your top 10 systems

Consider the top ten systems and associated data that your business needs to stay in business. Involve the COO, CFO and HR director in this discussion. Be bold - unless the system is absolutely required to ‘stay in business’ then it can wait. Focus all your activity on recovering systems in the agreed priority order.

6. Be realistic 

Be realistic about how long the recovery will take. Even if you’re working 24x7, it will take you longer than you expect.

7. Keep productivity high

Get your business busy with things that don’t involve computers - such as visiting clients and undertaking business development.

8. Communicate regularly

Communicate to your stakeholders regularly - this will help people stay productive, while you recover your business.

9. Get help

There are several companies out there that can help you with the recovery or forensic investigation.

10. Look after your team

Look after your recovery teams - food, massages, and lots and lots of praise. They will be working 24x7, and this will help them maintain their energy levels.

As Nick Ross would say "Don't have nightmares, do sleep well."


Want to learn more? Check out this collection of incident planning articles.