Getting cyber incident response right: the human element

The first crisis call

Maybe you know everyone in the room. Maybe you don’t. Who’s that that’s stressfully shouting their way through a list of “yeah buts”? And who’s that that’s seemingly so laid back they might as well be horizontal?

The calm, the frantic, the upset, the worried, the nonchalant (there aren’t many but I’ve encountered a few), the know-it-alls, and the know-nothings (sometimes each thinks they belong to the other cohort).

There are incidents where nothing’s been done in days. There are others where a ramshackle start-to-finish incident response has been attempted in a working day or by burning the midnight oil.

These are the extremes. Everything in between exists in spades when cyber crisis hits, and we’re called to step in as crisis leaders.

It’s not surprising that tensions are high in the throes of a cyber crisis. Systems are down. You can’t operate. There’s a menacing ransom note. You’re frozen out. Old, faithful email? Gone. At least until it’s been verified that it’s secure. Business-as-usual (BAU) goes out of the window. As creatures of habit, we humans necessarily find all of this disconcerting at best; downright distressing most of the time.

Focus tends to be on what needs to be done to contain and understand the incident, recover business operations, patch or fix whatever was exploited (this includes human errors), understand the data protection implications and comply with regulatory timelines. Those are important and can’t be overlooked. But they all rely on people who are fit for the job – without looked-after, healthy people, the necessary can’t be achieved.

Cyber-attacks and data breaches are increasingly affecting small-to-medium-sized businesses. There, experience and preparedness for the technical, regulatory, and legal response required to deal with a major cyber-attack is less likely to be significantly developed. That obviously has an impact on the ability to scale, at pace, the response work.

The research

The Royal United Services Institute (RUSI) describe in their paper on ransomware harms the ‘first-order harms’ to individuals within organisations hit by ransomware attacks. They range from psychological harm, including serious mental health conditions, anger, panic, stress, and burnout, to physical, financial, reputational and social harms.

One victim spoken to by RUSI emphasised the lack of attention given to this real front-line human toll, saying “the overall piece is that we very rarely talk about the mental health impact of these events”.

This harm is not confined to the immediate hours and days of an incident response. RUSI highlight that “psychological harm continued far beyond the immediate timeframe of the incident, creating an additional mental health burden and making it challenging for victims to move on after the incident”.

RUSI’s full report is a must-read for anyone actually or potentially involved in cyber crisis management.

For those who, like me, regularly meet clients immediately after they have suffered a cyber incident or large-scale data breach, the harms described above will sound familiar. The first temporal victims of an incident are the people who make up the impacted organisation’s staff and incident response team. In this post, I focus on the leaders, the IT teams, the specialists and the non-specialists who find themselves thrust into crisis response mode – more often than not with a dusty playbook unfit for purpose, or with no playbook at all. The panic, anxiety, stress, and worry is palpable in those early hours and days. That is why the people, and the indispensable role they play in incident response, are a key focus for CyXcel.

The sustainable approach to incident response

There is no escaping the fact that the immediate response to a cyber crisis needs to be rapid. “Go big early” might as well be emblazoned on the CyXcel walls at this stage – but going big early and petering out shortly thereafter is no good for anyone. The incident management strategy becomes loose, timelines slip, comms become messy, and recovery falters, none of which is conducive to the wellbeing recovery of the people that make up the organisation.

As the complexity of incidents and threat actor techniques increases, very many incidents will last for months. From a panicked rush, an incident can quickly turn into a brutal marathon effort. Overall, it’s an endurance event, not a sprint. Being unprepared for the ongoing management and servicing of crucial workstreams can lead to discontentment, disillusionment, and lethargy when reality sinks in that it isn’t just going to be a case of slogging for a week before normal service resumes.

The net result? Crisis leaders need to be sure that the human harms of cyber incidents are factored in when managing a response.

Starting on the right foot

Strategy. An incident response strategy does more than just guide the work output of the incident management team. It acts as a golden thread for the people you’re relying on to follow. It sets expectations and gives meaning to the work people are doing.

Ways of working. Incident response often necessitates long hours. Can you introduce a crisis rota to avoid burnout? There’s a reason that the emergency services, A&E departments and civil emergency responders work shift patterns: rest is important. A burned out, lonely, dehydrated, malnourished, lethargic, and miserable responder begats unsatisfactory outcomes.

The carrot, not the stick. It’s clear from RUSI’s research that reputational harm, or the fear of it, can feed into the psychological harms suffered by individual responders. In the throes of a cyber crisis you need candour to establish the facts quickly. Does your culture encourage, or hinder, such candour? Staff who feel trusted and who don’t feel Damocles’ sword inching ever closer will help ensure a constructive dynamic to incident response.

Leadership. A firm, steady hand on the rudder is essential to quickly embed the necessary culture and strategy within the Incident Management (IM) team, leading to higher wellbeing and better outcomes.

Understanding. If the foregoing matters are treated as simply buzzwords and empty commitments, cynicism quickly creeps in. Everyone involved in incident response needs to be pulling in the same direction, just as hard.

Foresight. The aim of the game is to get through this and come out the other side as strongly as possible. To continue your operations, you need your team. If they become alienated or disillusioned through the incident response work, they won’t be around when BAU finally does return.

As a closing remark I want to stress that people matter. Yes, people matter because they run your operations and are critical to incident response activities. But beyond that, people matter. Full stop. Often our first job, in that first crisis call, is to counsel the organisation’s IM team into a position of resilience and strength, from a place of distress. Pilots say that any landing you walk away from is a good landing. CyXcel says that every incident response can be a good incident response: but it needs to start with the people.