Home > Security > Articles

Create a Cyber Response Playbook for your business

^{May 2022}

Forethought and preparation are the first lines of defence for businesses as they face fast-growing cyber threats. Creating a bespoke Cyber Response Playbook will help your organisation find ways to improve cyber security as it builds crucial capabilities in anticipation of an incident.

Does my business need a Cyber Response Playbook?

Yes. Cybercrime continues to rise exponentially worldwide, driven by the rapid growth of ransomware attacks. When a cyber incident happens, a Cyber Response Playbook will help your business to hit the ground running.

Westpac's Simon Brown discusses with leading cyber security expert Drew Williams of the Australian Cyber Security Centre (ACSC) and Westpac’s Nigel Sanderson to define the crucial components for your playbook and discuss how businesses can best prepare to protect their operations.

As Williams highlights, “an organised response to a cyber breach speaks very highly of a business”.

So, what are the biggest cyber risks for business? And why do they need a playbook?

Simon Brown: Businesses are relying on technology more than ever, particularly with the increase in working from home. At the same time, the Australian Cyber Security Centre Threat Report for 2020-21 notes that cybercrimes – including ransomware, business email compromise and phishing – cost businesses about $33 billion for that period.

Drew Williams: We’re seeing an industrialisation of cyber threats, such as ransomware, where cyber criminals – and what we call APTs (advanced persistent threats) – hack into and remain inside digital systems in order to mine data and information before encrypting the system.

This makes it more likely the business will pay a ransom (to prevent publication of sensitive data), and potentially provides an additional income stream for the perpetrators if that sensitive data can be on-sold to other cyber criminals on the dark web.

Ransomware is one of the biggest threats to businesses. That’s why the ACSC spends a significant amount of time focusing on uplifting organisations’ security and mitigating threats before they happen.

A plan or Cyber Response Playbook is crucial for understanding everyone’s role within a business and hitting the ground running if there is a cyber incident.

The ACSC has a Cyber Incident Response Plan template that walks people through the key planning and response steps to a cyber attack. Having a lot of that information distilled, in a hard-copy format, and available when an attack occurs can help quell a lot of the panic.

As part of formulating a playbook, you need to understand your environment, your assets and the networks connecting them.

We also encourage businesses to rehearse and exercise their playbooks just as they might run six-monthly fire drills – this helps to highlight potential gaps in the playbook and get everyone comfortable with their roles.

For instance, how will you communicate with customers who might be impacted by your cyber breach or outages? Who decides whether the media will be contacted? And who makes that call? Rehearsing puts people in the crisis head space and encourages them to consider hard decisions without an immediate threat to their business or reputation.

Why is it so critical to have a hard copy of your playbook?

Williams: In many cases, the first indication of a cyber incident is when everyone comes to work but they can’t log in because of a ransomware attack. Suddenly, you can’t access your company directory, your email system, or even your incident response plan. Having a hard copy means you’re not scrambling – you’re looking at the plan, not looking for it.

If a business has a technology supplier or in-house team, then they clearly should be involved in creating a playbook. Who else should be in the mix?

Williams: At the ACSC, we recommend a bottom-up approach. Companies should understand which parts of their business could be impacted by a cyber incident and get the leaders in those areas to help define the threats and be involved early in the planning phases. This encourages cyber security to become a ‘team sport’, not just the domain of IT – it is a business risk just like any other that everyone must deal with.

You also need to engage any technical specialists who deal with your network, internally or externally, including cyber security providers and desktop support teams.

I’d recommend having a list of phone numbers – in hard copy – to call for an instant response and assistance, whether that’s for a cyber-defence expert who’s on contract, or an essential provider such as your bank, your suppliers, or your customers.

Given the constantly changing cyber-threat environment, how often should businesses review playbooks and rehearse their responses?

Brown: The playbook needs to have a key set of technical components at its core, but it shouldn’t stop there. It should be a whole-of-business playbook that evolves as you create, rehearse and execute it. This process helps businesses to improve security, as well as fine-tune their response to cyber scams and fraud.

Williams: Every time there’s a major change in your network. If you’ve just installed a new back-up system, for example, or made other significant systems changes, that makes your playbook obsolete and it’s time to update it.

Nigel Sanderson: I recommend building the playbook into your business calendar, just as businesses do with fire drills, and monthly or annual attestations around their security controls. Then it becomes part of the operating rhythm of the business.

Businesses, including SMEs, also face significant reputational damage if a cyber attack is widely reported. How can they safeguard their brand?

Williams: In the event of a cyber attack, they will face potential business continuity issues and reputational risk. Every response they make will have an impact, positive or negative. They must think about these risks before an attack and understand what head space their customers and suppliers will be in if there is a breach.

There are some ‘must-dos’ like dealing with regulators and law enforcement after an incident, but increasingly we also see integration between a business’s systems and those of their suppliers and customers, which may also have contractual obligations relating to notification of security incidents.

So, you need a planned statement or some key messages for stakeholders. It speaks very highly of a business when it has an organised response to a cyber breach. Being able to say: “We have enabled our crisis plan” is a good confidence signal.

In terms of educating staff and embedding lessons following a rehearsal or a real cyber attack, what tactics do you recommend?

Williams: If you have checklists in the playbook, you can hand them out and say: ‘You’ve got a job to do.’ Role cards are recommended in rehearsals so that people know what to do. These can be retained so they can follow along if an incident occurs. Then, after a rehearsal or an incident, you should document the lessons learned and make changes as required.

Sanderson: When new employees come on board, especially those who have access to your banking or accounting platforms, it’s really important that they’re taken through the playbook as quickly as possible. It should be built into any inductions.

Cyber attacks can be stressful and emotional. So a playbook should also cover the mental health aspects of an attack, and how to protect your people during a crisis. That’s why Westpac partners with support services such as IDCARE who can provide support to your business if required.

What are the key ACSC tools and resources for businesses to repel or respond to cyber threats?

Williams: The Essential Eight is our key guide that explains what organisations could and should do, depending on their scale.

Then we have our very detailed Information Security Manual, which is the gold standard of cyber security for larger corporations and government. We also do regular alerts through cyber.gov.au/alert-service on specific measures businesses can take to mitigate specific risks.

And the ACSC’s Joint Cyber Security Centres around the country help the Australian cyber security community come together in a trusted environment to drive collaboration and information-sharing.

Finally, the ACSC provides information on developing a Cyber Incident Response Plan on cyber.gov.au, which has a wealth of information on developing a plan to respond to a range of threats that can be tailored to an organisation's own circumstances.

And how can the ACSC help in the first instance when a cyber attack actually happens?

Williams: Businesses can lodge an incident report with us by phone, email, or directly through cyber.gov.au/report. The earlier, the better, because that incident could tie into a current cyber attack campaign and we can provide some fast mitigation advice.

Sanderson: Financial institutions also play a key role for their customers. If you recognise a transaction that could be due to fraudulent activity on your account/s or if you believe your security has been compromised, contact us immediately. We can ensure protections for your digital banking services and, of course, Westpac is always here to help customers with their cash flows if an incident happens.

It’s also worth noting that many SMEs are now taking out cyber liability insurance, which helps them get back on their feet faster.

Let’s finish with a snapshot of some proven remediation actions to assist businesses in the event of a cyber security breach.

Williams: First – and I put this in bold – why wait for an incident? Prepare now and do your rehearsals.

Second, any user who has administration access to systems, or who wears other hats in your business, make sure they have different/unique email accounts and passwords for their various tasks. Particularly, email and internet access, which shouldn’t be available from accounts that also undertake system administration tasks.

Third, embrace multi-factor authentication, or MFA, as an added layer of protection for anyone accessing your digital systems. A lot of attacks just don’t get off the ground if that’s in place.

Fourth, have a patching strategy to keep software up to date.

And, finally, regularly backup your data to an external location, preferably so that it can be restored from multiple points in time. Too often we see a ransomware hit and the business restores the backup, only to have the actor’s tools on the backup as well – and the next week they suffer another ransomware hit.

If you follow these tips, it makes life a lot harder for the bad guys.