InfoGuard Cyber Security and Cyber Defence Blog

Cyber Resilience: CSIRT insights and emergency plan for top management

Geschrieben von Philippe Vetterli | 22 Jul 2022

It is no longer a question of if, but when a business will become the target of a successful cyber attack. This applies to your company too. So it is vitally important for you to take the right precautions to protect your cyber security. In this article, you will learn about the role played by a CSIRT and what you need to urgently do during and after a security incident. Plus – benefit from our 7-point emergency plan with our cyber resilience guide for top management.

In one of our recent articles, we looked in detail at why cyber resilience needs to be on the agenda of the board of directors and the senior management, and what the specific tasks and responsibilities are for top management. Now we would like to build on this and show you what you need to do in the event of a security incident, and how to successfully resume normal operations following an incident. But let's take it one step at a time...

CSIRT – first aid in the event of a security incident

Cyber risks are one of the most significant operational risks a company can face, and it is precisely because of this that you, as a member of the board of directors or senior management, are responsible for implementing an effective risk management concept. One of the most important preparatory measures in terms of cyber security is detecting, analysing and responding to cyber attacks – 24 hours a day, 7 days a week. This is where the Computer Security Incident Response Team (CSIRT) comes in. When you are coping with critical security incidents, you need a well-rehearsed, experienced CSIRT to deal with the situation quickly and successfully. Most companies rely on a capable external partner with a whole body of experience from similar cases. We also recommend you do this. Why? To reduce the length of a security incident and the damage caused, as well as to drastically lessen the impact on the business.

Extremely important incident response-plan

As a member of the board of directors or the senior management team, a key task for you is to create an incident response process. The goal is to establish an effective incident management system which will define all the processes, guidelines, roles, responsibilities and, last but not least, the communication and escalation channels required. The operational part of this exercise can be delegated to your internal IT and security specialists, but it is the responsibility of the board and senior management to ensure that a process of this kind is put in place, documented and – imperatively – tested. The last point in particular is often neglected, something we can (unfortunately) confirm from our practical experience! The knowledge gained must of course be fed back, in the interest of continuous comprehensive optimisation. Within this process, you should also be able to rely on your trusted partner and its CSIRT. It has been demonstrated more than once in the past that there is no worse time to be assessing a suitable external partner than at the time the incident occurs. We recommend that you avoid this negative, stressful experience by finding the best possible partner in good time. This will ensure that you can rely on top support in the technical area, allowing you and your colleagues to concentrate on other pertinent issues, such as providing information and communicating with customers, business partners, employees and maybe even the general public.

A 7-point emergency plan for top management


What is the state of your company? Where do you stand, and have you already been the victim of a cyber attack in the past? Our CSIRT appeals to you at this point. Right now, an incident can strike at any time and any company. Your company size is irrelevant, as is the industry or region in which you are operating. But the following fact is confirmed more and more often, almost on a daily basis – and this is the crux of the matter: Most of the time, the people responsible are hit quite unexpectedly and are often completely overwhelmed by the situation. So there is a clear call to action for you as a board member or one of the senior management team – get the necessary preparations in place! We have put together a 7-point emergency plan to support you:

  1. Set up a crisis team: Involve internal (and external) agencies at an early stage.
  2. Plan regular meetings: Alternate between consultative and working phases in the crisis team.
  3. Communicate on a regular basis: Focus on transparent communication - both internally and externally.
  4. Remember reporting obligations: Observe your duty to report to the supervisory authority and, if necessary, to your cyber insurance.
  5. Get outside support at an early stage: Involve external specialists in resources and skills early on - especially for legal issues and for negotiating with hackers.
  6. Rebuild your ability to function: Create regular backups and store them offline.
  7. Don't forget post-processing: Professional follow-up to evaluate and optimise is every bit as important as preparation. Plan to have an audit of your IT carried out by external specialists to define long-term security measures.

You can find the complete 7-point emergency plan with concrete, detailed recommendations for the action to take in our Cyber-Resilience-Guide for the board of directors and senior management team.

 

How to successfully come back from an emergency operation to running normally

Here, too, there is a clear recommendation for you from our CSIRT: Make sure you implement a backup and recovery process because your data is too valuable and business-critical. This does not just involve making regular copies of data and applications to a separate device, but also the recovery of these in case of data loss or damage. We have three things we want you to do as you go:

  1. As a basis, create a plan: WHAT, WHEN (Recovery Point Objectives (RPO), Recovery Time Objectives (RTO) and Service Level Agreements (SLAs)), WHO.
  2. (Rapid) restoration of systems and data.
  3. Test the plan and continuous improvement.

Sounds simple, doesn't it? Unfortunately, experience shows that after an incident, resuming normal operations takes a long time (and often more time than anticipated). Therefore, careful resource and activity planning is recommended in order to achieve the fastest possible, most focused recovery. You should pay special attention and meticulously monitor and record the actions taken during this phase. One more thing – in this phase, it is also essential to rely on support from an external partner. This expertise helps you to achieve an effective, safe and successful return from an emergency operation to a normal operation without the need to reinvent checklists and action plans.

This has also been affirmed by Dr Christian Neubaur, CIO of Siegfried AG, in an impressive video statement (only in German).

 

“You need one thing above all in order to deal successfully with cyber attacks – rapid, professional support from experts who are available round the clock with the resources and experience of similar situations. This is precisely the service that InfoGuard provided us with, right when we needed it. The excellent interaction of expert staff, efficiently organised processes and the right technologies is what helped us the most. This is exactly the kind of service you need in order to be up and running again as soon as possible.”

 

 

An invitation to share experiences

One thing that the last few months have clearly shown is that the quantity and, above all, the quality of attacks have risen markedly, so it should go without saying that protecting against cyber risks should be given the highest possible priority and that this is a matter for to be handled by the top management. Our recommendation to you is to align your cyber strategy with resilience. We would be only too pleased to support you with this! Let's find out together in a non-binding round-table-discussion what your biggest challenges and threats are in the cyber security ecosystem and where they are located. Experience has shown that a face-to-face discussion – from board-level to board-level or from senior management level to senior management level – is the most effective way of achieving the desired results. Leave your preferred date for us here. We look forward to exchanging ideas with you and your colleagues on the board of directors or the senior management team.