In this week’s bulletin Charlie highlights the key learnings from the RUSI Report.

As a teacher of cyber incident management, I quite rarely get to hear first-hand about cyber incidents, and case studies are quite rare. The public sector has done a few, including SEPA, the London Library, and Gloucestershire City Council, but overall, information from the private sector is hard to find. Over the last couple of weeks, I have heard first-hand from the CISO of a high-profile cyber incident and have come across the RUSI “Occasional Paper ‘Your Data is Stolen and Encrypted’: The Ransomware Victim Experience”. The paper is research on several organisations’ experiences of managing a cyber incident. Sharing lessons learnt is useful so that organisations and those that teach cyber incident management can impart their experience in others before they are attacked, manage their expectations, and make them ready to face a cyber incident. The report recognised the importance of sharing information both for the victims and for those who have not been attacked. They said in the paper, “The research for this paper confirms that, for many victims, a ransomware incident is a stressful and potentially dark period in their lives, making it hard to talk about their experience. However, the data has also demonstrated the value of talking about the experience, whether it is for personal closure or to provide critical insights to members of their ecosystem and sector to help them better prepare for a ransomware attack.”.

The report can be found here, but I thought I would share a few key learnings that you might find useful.

1. When people turn to law enforcement for technical support and expertise, the expectation is generally low, and this is compounded in several cases when incidents have been reported to law enforcement and they haven’t replied or have replied days or weeks later. “There is widespread uncertainty about its role and the thresholds that must be met for it to provide support.” The report stated this could lead to a reputation issue for law enforcement if there is a large gap between the support organisations expect they are going to get and the support they get.
2. The timing of an attack can determine the impact; several organisations in the study said that the attack happened just after payroll had been run, so the impact on the organisations was less.
3. The research project found that, in many cases, existing business continuity plans were unsuitable for dealing with a cyber incident. “Policymakers must thus continue to stress the importance of cyber-specific preparation that takes into account the unique features of a cyber incident instead of relying on generic contingency plans that are unsuitable in a digitalised context.” The scenarios many organisations prepared for in their business continuity plans were for fires and floods but bore little resemblance to the impact of a cyber-attack. The plans failed to consider having no communication means within the organisation as the ransomware attack had impacted all the normal systems they used. “There is no email. There is no Excel. Think pencil. Think paper.”. I think this is an important reminder to businesspeople to review your business continuity plans against a ransomware attack and check that you have manual workarounds for processes.
4. The RTOs agreed as part of the BIA process are important in that they provide priority for recovery after a cyber-attack. The report mentions a manufacturing company that prioritised the recovery of their canteen in the interest of maintaining staff morale.
5. Organisations have had to recover their servers, server by server, and the data flows were a nightmare, and another organisation said they had not paid enough attention to the kind of infrastructure and the security that was needed.
6. The availability and quality of backups, particularly those that are offline, were very important in the recovery.
7. Good awareness of the amount and kind of data the organisation holds can help the organisation understand the possible impact of an attack.
8. A ransomware attack is likely to intensify existing sentiment within the organisation. If staff are generally supportive of the management, then they will rally around and support the response, but if there is conflict, it is likely that this will hinder or delay the recovery.
9. “An incident responder went as far as to say that the technical response to an incident is the easy part and that, instead, leadership rather than technical expertise is the overriding factor.” It is important that senior managers are aware of this!
10. Those responding must ensure that they look after their staff during the response: “The combination of lack of sleep, poor nutrition, and excessive consumption of caffeine necessitated a visit to A&E.” Dealing with an incident over the long term can “degrade the wellbeing of staff through sleep deprivation, physical inactivity, poor nutrition, and strained relationships.”. Senior management has a key role in monitoring staff and preventing burnout. This equally applies to the third parties assisting in the response.
11. Trying to access large quantities of cryptocurrency to pay a ransom may be difficult, as you may have to go through multiple bank authorisation checks to obtain the necessary cryptocurrency. The process was arduous and compounded their stress.
12. Lawyers are tasked with protecting the organisation rather than individuals within it and preventing further harm.
13. Many organisations felt lawyers prevented them from sharing information, even if this could warn other organisations of the incident.
14. Most organisations that had cyber insurance were very positive about their interactions with cyber insurance providers.
15. Professional ransomware negotiators can reduce the ransom by up to 40%.
16. Effective internal communications were key to keeping up morale and improving the effectiveness of the response. When they were poor, it affected morale very quickly.
17. The process of dealing with the ICO was described as ‘laborious’ and they may demand large amounts of information, and this could continue after the incident has been resolved. Most of those interviewed for the report said their experience dealing with the ICO was negative.

In the report, there was quite a lot of information on the interactions between ransomware victims and law enforcement, including the NCSC. The experience was mixed, with some receiving an excellent experience while others felt law enforcement was unresponsive and had a poor experience. I think the more we know about other organisations’ experiences with ransomware incidents, the more we can ensure that our organisations are ready and recognise early some of the issues they will face when responding.