Local Government Association Cyber Incident Grab Bag for Local Authorities
View client story
Incident response: the first steps to recovery after a cyber attack
We've written before about managing cyber security risk and what leadership during recovery looks like. But what about the first few steps towards recovery?
When so much of the focus is about securing systems, it can be difficult to think about recovery. But the question is as important for leaders as it is for teams.
At a high level, it’s about using the tools and habits we help all teams to adopt - service mapping, outcome-driven development, empowered teams, and transparency - and applying them to the critical challenge of recovery.
This post provides a brief guide to recovery after a cyber attack, highlighting the tactics that will prove critical in getting you back on your feet, fast.
Map what your organisation does
It’s absolutely fundamental that you have a high-level understanding of what your organisation does. It seems like a facile thing to say, but in large organisations there can be huge areas that are relatively opaque to central operations teams.
This service map doesn’t need to be at the task-by-task level. But it should illustrate the journey your customers and/or internal teams go on. It will be an essential asset for recovery planning.
What this map needs to include will be different for different organisations. For news outlets, how do stories flow from source to screen? For retailers, what are the steps that take you from thinking to trading? How do you pay staff and suppliers?
Getting together a cross-functional team will help you make a comprehensive map. At the same time, a neutral facilitator will ensure people don't get lost in the details. Both of these are important foundations for the actual work of recovery too (more on that below).
As you build these maps, you’ll see the flow of information through your organisation. Pinpoint your priorities: what’s essential? It’ll take time to recover your systems: what activities do you need to find workarounds for right now?
The best time to make this map is now (i.e. before you’ve been attacked). Having this in your back pocket can save hours, or even days. If it’s too late for that, then get a team working on this while others focus on securing your systems.
Highlight the capabilities you have, and the ones you don’t
Use your map to work out what you’ve lost.
In many organisations, the systems your teams use are likely to be highly fragmented. Those silos might be helpful: you might be frozen out of your CRM, but have complete access to your inventory tools. In other words, your gaps will be partial. But it might be that the critical systems that underpin several parts of your operation are effectively gone.
Come back to the priorities on your map: what can you actually do now? Your team (and your suppliers) must be clear about which systems you can trust, and what data is accessible.
You’ll likely find yourself with a map that shows things like:
We can file draft copy for review, but we can’t publish it
We can design new products, we cannot send these to suppliers
We can track inventory on existing third-party systems, but cannot connect it to our central database
Whatever the specifics, your map will show you where the gaps are. Use this to understand which gaps are most critical and prioritise these.
It’s worth noting that this map of what’s possible (and what’s missing) will fluctuate. You’ll learn by the hour whether “safe” systems have actually been compromised, or whether you have access to unaffected third party systems. That’s normal.
Focus recovery efforts around outcomes
You should now understand:
What the most important needs are to your organisation
Which of these you can’t currently meet
What to fix first
With a system-wide attack, the temptation will be to solve every problem at once. Outcomes keep teams on track.
Get started with a clear outcome. Something like “We can communicate with customers who have placed orders with us.”
Those outcomes will help you work out who needs to be in these teams. Make sure there’s a voice for the end user on board too (whether it’s your customers or your colleagues), as well as delivery and facilitation support. These skills will help your recovery team stay honest about the outcome they’re working towards.
Empower teams to plug the gaps
Empowered teams need to be able to create solutions, not just think about them. As well as making sure the team has a blend of technical, operational and specialist skills, they need a mandate to deliver on their outcome. That means:
Permission to test and learn
Access to users (whether those are colleagues or customers)
Authority to talk to partners and suppliers
Visibility of the work of other teams
A route to escalate problems that are blocking progress
This list shouldn’t come as a huge surprise - it’s baked into the advice we give to all our clients. But in times of crisis the traditional response is to lock down, close up, stay guarded. That approach won’t lead to quick recovery. Yes, it’s important to be disciplined about what a recovery team deploys. But the near-term view needs to pair security with recovery.
Be mindful about how sustainable this work is. As Cate McLaurin says in her piece on leading through a cyber attack: “The intense pressure of crisis management can lead to burnout.”
As days roll into weeks, consider rotating some of the experts in these teams. Partly, this will give people a breather. But you’ll also be distributing knowledge about what’s going on. This will be especially important once the workarounds are in place and these teams start maintaining the solutions they’ve built.
Be open about progress
Successful recovery demands tight-knit communication. It’s likely you’ll have multiple teams trying to stand up different processes. Clear outcomes should mean teams aren’t stepping on one another’s toes. But there may still be times when those teams need support from one another, or are competing for people and data.
In the first few days of recovery, get the leads and/or facilitators to check in a couple of times a day. Ideally, these will be light-touch updates so leaders and colleagues can learn: here’s where we’re at, here’s what’s blocking us, here’s what we need. This isn’t a time for leaders to get stuck into the minutia of the work. It’s about visibility, and clearing a path for your recovery teams to deliver.
Create time for other teams to ask questions: “Are you capturing the data I need? Are you looking at how to connect our services?”.
This should also be when you share updates about what data and tools are (or aren’t) available. Any change is likely to affect the scope of one (or all) of the teams developing workarounds.
While this work is going on, keep the wider organisation in the loop. Manage these updates centrally: don’t put the weight on your recovery teams until they’re sharing tutorials or managing feedback. Remember, trust will be low. Without this heartbeat, it’ll evaporate entirely.
Start preparing now
Depending on the extent to which your systems have been compromised, the road to recovery might be long. The journey isn’t going to be linear: progress will come in fits and starts.
At Public Digital we say that cyber attacks are a question of when, rather than if. The best way to embolden your response - and pick your organisation up faster when you are knocked down - is to start preparing now.
Build your maps. Understand how you operate, truthfully. Grow your confidence in using cross-functional teams, and outcome-driven approaches.
Embedding these ways of working now not only prepares you for crisis, but also lays the foundation for a truly adaptive organisation.
We work with organisations to build up their cyber resilience, as well as providing strategic support to organisations in the process of responding to a cyber attack. Earlier this year, we worked with the Local Government Association to launch the Cyber Incident Grab Bag for local authorities.
Written by
Matthew Sheret
Director