How can cross-team collaboration enhance the response to cyber incidents?

In parallel, the pandemic has highlighted the fact that many organizations are often not adequately equipped to face cyber incidents. The increase in employees working remotely have enlarged the attack surface exploitable by hackers. In many cases the IT infrastructure and the related IT security controls of organizations have been proven to be inadequate to support todays need for remote working capabilities.

Human error continues to be one of the biggest risk factors in enabling cyber incidents. Verizon’s 2021 Data Breach Investigation Report estimated that during the pandemic, 85% of all successful incidents involved using humans as the attack vector by tricking them, rather than exploiting weaknesses in computer systems. In particular, 61% of breaches were initiated using phishing E-mails. This was also the case for the Colonial Pipeline attack in spring 2021, which was one of the most damaging recent cyber-attacks in the US.

Another problem impacting the posture of organizations is the non-involvement of cyber security aspects in new IT initiatives (often related to cloud-based projects and the related migration of applications). With the increase of remote working during the pandemic, discussions between teams have become less frequent. This was evident in the GISS 2020 survey where only 36% of respondents were confident that cyber teams were consulted already at the planning state of new business and technological initiatives. This percentage significantly dropped to less than a fifth (19%) in 2021.

What should the business do in the event of a cyber incident?

Prevention is better than cure and having a robust IT infrastructure is of key importance. This is achieved through early intervention, by involving the cyber team in any major technological initiatives, and further by promoting a strong cyber security culture across employees. Furthermore, organizations should consider the possibility that a cyber incident can occur to them at any time. A clear strategy and dedicated response plans – based on incident scenarios – are required. Regular exercises through simulations are necessary to ensure the effectiveness and resilience of the respective plans under pressure.

Typically, the Crisis Management Team (CMT) leads the cyber incident response and directs the organization during a crisis. It is the responsibility of the CMT to develop runbooks outlining detailed steps to help the organization reduce the impact and to return to business-as-usual as quickly as possible.

Although the CMT is in charge of coordinating and taking the lead during emergencies, a successful response to an incident is a joint effort across different teams within the organization. Typically, the Computer Security Incident Response Team (CSIRT), Corporate Communications and the Legal department liaise regularly with the CMT to contain the incident. They enable a proper communication strategy towards the media, clients, internal stakeholders and regulatory bodies (e.g., FINMA, FMA etc.). For critical incidents, business continuity plans are used to understand how business lines are being affected.

How can organizations effectively respond to cyber incidents?

Given the continuous and fast interactions across different teams and the pressure of taking decisions rapidly, it is crucial to periodically review the runbooks and, in general, the cyber incident response strategy. There are two main reasons for that:

• Simulating cyber incidents gives organizations the opportunity to identify weaknesses and to adjust its runbooks based on the lessons learned
  
• Simulations provide a chance to reinforce and increase the efficiency of communications across teams

Running a cyber incident simulation exercise is a great opportunity not only to improve an organization’s overall cyber security posture, but also to foster cross-team collaboration and team building. This will ultimately make an organization more cohesive and resilient.