David speaks: Incident Response and Insurance

This week David rounded out his 2020 engagement with the College of Law's Centre for Legal Innovation and their Legalprenuers Lab with a webinar covering Incident Response and Insurance.

Once again, David was joined by WatchGuard's Matthew See for this webinar and offered an insight into the impact of cyber security incidents and what you can do to minimise the impact if your organisation is ever hit.

Cyber attacks affected 5 million Australians at an estimated cost of $1.06 billion in 2019, the importance of getting your organisation back on track as soon as possible is important but can also be costly, the average amount Chubb Insurance paid out per policy for forensics related activities after a cyber attack hit a staggering $285,851 and with only 27% of SMEs taking out cyber liability insurance chances are you could very well be left juggling the recovery of your business and finding the money to fund it.  Information theft is the most expensive consequence of a cyber crime (43% of cost) followed by business disruption (33%), so what steps can you take to reduce this?  Keep reading to find out what to do if your organisation is the target of a cyber attack....

Cyber Incident Response

FortiTech recommend undertaking these 5 steps on the road to recovery after a cyber incident, whether that be caused by a phishing attack, malicious software or insider threats:

  1. Immediate Containment
  2. Assess the Incident
  3. Appropriate Notification
  4. Systems Recovery
  5. Post Incident Review

Lets cover these a bit more below:

Step 1 - Immediate containment

It's time to run through what you can do immediately to contain the incident

Let your IT team know
Whether your IT support team is internal or external, ringing them to let them know there is an issue should be your first step

Consider if there is a way you can contain the breach by unplugging a network cable or turning off the device if the incident is on a single computer?

Change passwords if it is a phishing attempt

Currently, it is 19 minutes from loss of a password before it is used in an attack, so swift action is critical.

Convene your team
Suspicion of an incident is a trigger to initiate your Incident Response plan immediately and to convene your Incident Response team to begin the process

Step 2 - Assess the incident

Gather the facts and evaluate the risks

What has been affected?
Gather evidence – create logs and other data to evaluate the impact

Where possible, take any immediate actions to limit further harm.

What other systems are involved?
Use your asset lists to track the impact

Don’t forget any cloud services too, they may also be affected 

Even if you are unsure a system has been affected, treat it as if it has.

Has data been accessed / taken?
Confirm who had access to the data and how

Assess the potential harm to affected individuals

Step 3 – Appropriate Notification

Notify those who need to know

Bring up your communications plan

Follow your communications plan to ensure you have covered off the: 
- Who
- What
- To Whom and
- Where

Internal Stakeholders

Notify internal stakeholders such as:


External Stakeholders

Office of the Australian Information Commissioner (if required)

Your Insurance provider to start a claim

Any law enforcement and government departments (as required)

Those individuals affected by the incident (as required)

Communications Tip 

Only those responsible for communication for the incident should be providing any information to internal or external parties. This gives a single voice and protects the organisation from reputational damage.

Step 4 - Systems Recovery

Get things back up and running again

Remediate any damage using appropriate post breach tools

Clean all systems suspected or likely to have been breached

Rebuild systems & recover dataRecover data from backups

Completely rebuild systems from scratch should they need that to ensure they are safe

Change credentialsDon’t forget, it takes on average 19 minutes from loss of a password before it is used in an attack

Implement multifactor authentication  

Remove dormant accounts

Step 5 – Post Incident Review

Review the incident and consider what actions can be taken to prevent future incidents.

Adjust your policies
Review your policies to ensure they cover the breach and adjust as appropriate to ensure moving forward they are relevant.

Adjust your Procedures
Make sure existing procedures will mitigate any risks to business systems and data and implement new processes to ensure the business will be protected from future incidents.

Educate your staffEducate staff on what went wrong, why it happened and what they can do to help prevent it in the future.

Having staff who can help protect your business increases the chance incidents are caught earlier and resolved with less damage and faster.

We have covered Cyber liability insurance in another of our blogs so we won't rehash it too much here, but it is safe to say that having a suitable policy for your organisation will make a significant difference to your rate of recovery should you be hit by a cyber incident, we recommend that you consider the following points when weighing up which policy is right for your business:

  • Data loss and restoration including decontamination and recovery
  • Business interruption loss due to a network security failure or attack, human errors, or programming errors. Incident response and investigation costs
  • Delay, disruption, and acceleration costs from a business interruption event
  • Crisis communications and reputational mitigation expenses
  • Liability arising from failure to maintain confidentiality of data
  • Liability arising from unauthorised use of your network
  • Network or data extortion / blackmail (where insurable)
  • Online media liability
  • Regulatory investigations expenses
  • Make sure your policy covers for both 1st party and 3rd party losses.
As always, consult an expert like your insurance broker to ensure you are getting adequate cover. If you do need an insurance broker FortiTech have some great contacts in the industry, just send us through an email to get their contact details.

While responding to a cyber incident is certainly the last thing an organisation wants to be faced with it is essential to ensure you have the right processes and policies in place should it ever occur, we trust that this blog has been a stepping stone to educating our readers on what to do when faced with such a matter, for more on how to protect your organisation from cyber threats,  why not check out the rest of David's previous Cyber Security talks held during 2020: