As part of the scenario, participants worked together in one of four teams under one umbrella organization. The four teams were: Management, IT, Legal, and Communication; I was a part of the Communication team.
— Adli Wahid (@adliwahid) July 29, 2017
With Adli (middle) are, from left, Siosaia Vaipuna (CERT Tonga),
Kitisak Jirawannakool (Thai Bankers’ Association), Linda Raelina Mamahit (PT Nawala Indonesia) and Afifa Abbas (Banglalink Digital Communications Limited).
The scenario started with the IT and Communication team receiving an email from someone claiming to be a hacker stating that the organization’s internal data, including confidential data, had been stolen and would be shared publicly if our organization did not pay a ransom fee.
Now the fun starts: each group must try to think what to do. Is there enough time, before having to pay the ransom, to inform customers and shareholders? Or to possibly identify and track down the hacker?
The entire session lasted about an hour-and-a-half, which I felt went by very quickly but in reality, would be about the time that some organizations have in which to act.
What I learnt — preparation is key
- Organizations should have an incident response plan/team to deal with unexpected events, because when faced with a “situation”, you won’t have much time to plan anything.
- The important thing to remember about the incident response is the 3 C’s (Collaborate, Coordinate, Communicate). You must communicate with all relevant parties. You must have a central location to coordinate. And internal and external collaboration is very important.
- Analyze the value of data, including the consequences of what happens if such data is leaked or lost. Once you know the value, then you can take the appropriate preventive measures to protect it.
- Cybersecurity is the responsibility of everyone in the agency, not just IT. All agencies must help each other to identify and mitigate risks.
- People are a security weakness. If there is proper training and everyone has cybersecurity awareness it will reduce the risk of attack.
- Inform the relevant people asap. These include CEOs and, if appropriate, customers.
- When communicating information to the public, use language that the listener understands — for example, it is not necessary to say that the organization complies with ISO 27001 and NERC-CIP, because most customers may not understand these terms.
I found that doing this kind of workshop with people from a range of nationalities was really useful, as each country and culture thinks and acts differently about the situation. If you ever get an opportunity to take part in a similar exercise, I thoroughly advise you to do so.
This is a translated version of an original post that appeared on Suksit.com
Suksit Sripitchayaphan is an SCADA Engineer at the Provincial Electricity Authority of Thailand.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.