Communication about cyber attacks emerged as another key theme in the panel discussion. The SingHealth data breach underlined the need for early and accurate communication with key stakeholders, said Fong.
“The public was informed of the SingHealth data breach a mere 10 days after the incident was reported [to Singapore’s Cyber Security Agency],” she said. “Within that time, we had a team on site helping SingHealth contain the incident and reconstruct the attack and figure out exactly what data was exfiltrated so that we could confirm that no medical records were modified or deleted.
“We had to balance the need for speedy communications with the need to manage the crisis at hand and get the facts right.”
Another important thing to remember, said Hudson, is that communication is not just about the media when an attack or breach goes public.
“It has to be in the very widest sense of comms, so it is also about internal comms to keep staff informed and potentially comms with regulators, people affected by the breach and suppliers,” she said. “You need to know up-front how you are going to communicate with them.”
Hudson said comms within organisations also have an important role in bridging the various communities of stakeholders. “They need to be continually asking questions to ensure that there is a common understanding of what is going on and who is affected, that everything that goes out is consistent and makes sense, and that everyone involved is on the same page.”
In terms of communicating with the media about a cyber incident, Hudson encouraged organisations to contact the NCSC for support. “The NCSC can be a bridge between an organisation dealing with an incident and the media,” she said, adding that if it is a cyber attack, by involving the NCSC, the agency can work with organisations not only to get messages out to the media, but also to mitigate the effect of attacks and translate incidents into what needs to be done and who needs to know.
“We will work with you as a trusted adviser,” she said.
In the wake of the SingHealth breach, said Fong, investigators were able to reconstruct the attack and see what had happened fairly quickly thanks to good, comprehensive data logs. “We were really fortunate because we had good logs for the SingHealth database,” she said.
“It may seem a very straightforward point, but it is non-trivial. I cannot over-emphasise that the database logs helped the investigation team a great deal. Good housekeeping augments incident response.”
The availability of good data is one of the main challenges faced by cyber security incident responders, said Ollie Whitehouse, chief technical officer at NCC Group.
“The availability of good logs in a timely fashion is critical,” he said. “But there are many organisations that cannot give you visibility into their estate and what has happened – and that really frustrates the investigation.”
The second common challenge, said Whitehouse, is the inability of organisations to respond to an incident, such as being able to lock things down quickly.
“And the third challenge is the supply chain,” he said, “especially where there are contractual limitations where you need help from a supplier, either in giving clients logs in a timely fashion or in allowing third parties such as incident response firms access to their systems in order to protect the larger entity.
“Addressing just these three problems will enable organisations to have a far more effective response. This is particularly when things come to light weeks, months and even years later because the inability to go back in time due to the lack of data leaves many questions unanswered, and this can be very frustrating when you have got to report to regulators or shareholders.”