In today’s bulletin, Charlie discusses Comhairle nan Eilean Siar’s cyber attack back in 2023 and gives an insight into ways organisations can aid recovery after a cyber incident.

This week, as some of you may have seen on LinkedIn, I have been in Stornoway on the Isle of Lewis, speaking to the Council about their cyber attack. They had a cyber attack in November 2023 which had a huge impact on the Council. As I myself am from the Hebrides – the Isle of Coll – I took a keen interest in what they did and how they recovered. When the call for speakers came for the annual BCI World conference, I thought I would do a case study on the Council’s response and what we as practitioners can learn from their experience. They have written an excellent report on what happened, but to get some first-hand commentary on the incident, I have spent the last two days in Stornoway interviewing people. I could have done it via Microsoft Teams, but it is so much easier to arrange face-to-face meetings, and as I was only there for a short time, people made time in their diaries to see me.

I was interviewing the IT Manager who was involved in a lot of the response and it was fascinating to get a first-hand commentary from someone who has been at the coalface of the IT response to a cyber incident. I learned a lot, but one of his comments really resonated with me. The idea was that it is important to prevent the bad guys getting into your systems, but if they really want to get in, they will do. What is equally important is your ability to recover after the incident. So this week I thought I would share some of the ideas I have for enabling your recovery.

1. Go SaaS. Using a SaaS application is a larger decision than just enabling your recovery, but if you use SaaS applications, there is a high chance that any ransomware attack with encryption applications will not impact them. Remember, it is important that you check your SaaS system for what backup you get as part of your contract, and whether you need to take out additional backup services or contracts.
2. Go Cloud. The IT manager felt that if he had his systems in the cloud that they wouldn’t have been attacked and encrypted, moving to the cloud is part of their solution after the attack.
3. 3-2-1 on Backups. The 3-2-1 backup strategy means keeping three copies of your data, stored on two different types of media, with one copy kept offsite for maximum protection.
4. Immutable and secure backups. Ensure that your backups cannot be encrypted or rendered unusable by the attackers. A number of organisations have had to recreate their applications from scratch as they lost their backups at the same time as the main application. Having a good set of backups which are restorable can save weeks and months of time trying to rebuild systems from scratch.
5. Practise recovering systems. This was another piece of advice from Stornoway, you have to practise and then document the recovery. Without the pressure of being in an incident, it is much easier to recover systems.
6. Agree on priorities. In a local authority, there is a reasonable consensus on what needs to be recovered first and what can wait. In other organisations, this may not be so obvious, so have an agreed activity and application priority list agreed in advance. This may change due to the circumstances of the incident or the time of the year but it at least gives those recovering a starting position.
7. Have a disaster recovery (DR) plan. The DR plan should include an order to conduct application recovery and take into account the interactions and connections between systems.
8. Interfaces. Know which organisations you have APIs or data workflow connections with. It is highly likely they will cut their systems off from yours but if you know who they are and how your systems interconnect with them, you can make contact and understand the actions and reassurance they require from your organisation before they will reconnect them.
9. Exercise. Exercise often – technical as well as your incident management teams’ recovery.

All organisations have a finite budget for protecting their networks and preventing a cyber attack on their organisation taking place. If your attacker is a nation state, it is likely, however good your security is, they can get in if they want. In the Stuxnet attack, the perpetrators of the attack were able to impact Iranian centrifuges situated deep underground where there was no internet connection between them and the outside world. Many of the recovery measures detailed here are much cheaper than spending on extra defence, so my suggestion to you is to look again at your recovery and should you be spending more money or time in improving it.