Blog · 05 Jan 2021

Impacts of the pandemic on cyber incident response

How to respond rapidly to cyber incidents despite the logistical challenges.

One of the many logistical challenges we’ve seen as a result of the pandemic is how to respond rapidly to cyber incidents.

New working arrangements and resource limitations have introduced significant complexity to a domain that demands quick turnarounds.

A combination of reactive roll-out of infrastructure to accommodate remote working and a rise in opportunistic threat-actors seeking to take advantage of the situation means that we now have a threat landscape that - now more than ever - requires organisations to make sure they’re ready to respond in the timescales required by regulators and customers.

We recommend that you take a look at the following areas:

Prepare for opportunistic threats

Both the BT and PwC Cyber Security teams have seen a marked rise in the number of criminal cyber campaigns seeking to exploit the situation. We’ve spotted highly targeted phishing lures being deployed - often citing government advice or imitating the targeted company, apparently issuing guidance on how to connect to remote working infrastructure. Organisations should continue to be on heightened alert of motivated attackers and conscious of the fact that while the threat has increased, the resources available to detect and mitigate has decreased.

Review availability and wellbeing of key points of contact, and wider teams

Although you may be able to handle short-term absences of key response stakeholders, few companies are equipped to deal with the long-term absences that the Coronavirus situation may cause. Of unique concern is the potential for entire geographical teams to be impacted, as seen in recent outbreaks reported at sites across the country. Organisations should consider what backup or burst response capability could be introduced and weigh up an incident response retainer service with a third party.

Provision for equipment access and travel arrangements

Incident response teams that had previously been highly mobile - such as, servicing multiple sites - may now be unable to travel and fulfil their duties. Differences in regional administrations across the UK may also introduce discrepancies in how support can be offered - for example, travel limitations in Wales precluded travel at the same level as possible in England. Specialist forensic equipment may also need to be distributed across the team, introducing bottlenecks if these team members take ill. The situation could also lead to a variability of skills across teams. Increased delegation of responsibility and provision of additional hardware may be necessary to increase redundancy. Similarly, it increases the need to understand how to access the relevant data remotely or locally and also whether or not there’s a requirement for full legal forensic evidence collection.

Evaluation and testing of the incident response process in the new normal

With remote working set to continue for many teams for the foreseeable future, previously effective working patterns such as commandeering incident “war rooms” and establishing collaborative working spaces may no longer be viable. New response infrastructure should be established and also trialled pre-incident, with care taken to consider if these fit with individuals’ homeworking needs. Crisis exercises should also be considered, these can vary in complexity with paper-based desktop exercises or simulations both being effective.

Please get in touch to discuss any of the measures to enable effective remote working or take a more detailed look at our advisory services