Expert Advice: How to Handle a Cyber Disruption

June 16, 2017

Kami Buchholz

The essence of automotive cybersecurity's current state of capability: It’s possible to thwart most—but not all—cyber incidents.

The impulse to shut down a computer and restart it could further complicate a cyber situation, said cyber specialist Brian Warszona at Willis Towers Watson. (Image: Willis Towers Watson)

Response and recovery should be done with face-to-face meetings and phone calls, advises Brian Balow. (Dawda, Mann, Mulcahy & Sadler image)

How quickly can your organization make a determination, preserve the evidence and do what’s necessary to limit the impact?, asks Bill Hardin. (Charles River Assoc. image)

“You can put in place all the preventive medicine that you want, but a cyber disruption is going to happen. The relevant question for an organization is ‘how will you respond?’” said Bill Hardin, Vice President of Forensic & Cyber Investigations at Charles River Assoc.

Hardin and other cyber security experts who recently spoke with Automotive Engineering stress the importance of developing a response plan for online attacks. A company’s general counsel, chief information security officer and outside legal counsel typically are involved in assembling such a plan.

“It can be just a one-pager that states the response team’s quarterback, the things that need to be done and the folks who need to get involved,” Hardin said.

Whether it’s a virus, a ransomware demand, or another type of cyber attack, the disruption requires immediate attention. And the unfolding situation needs to be handled in a coordinated manner.

Brian Balow, a member of the law firm Dawda, Mann, Mulcahy & Sadler PLC, advises clients dealing with a cyber situation to avoid communicating via emails and texts.

“While deliberating the incident, the response and recovery should be done with face-to-face meetings and phone calls,” he said. “After you’ve made decisions about what to do, then you can document those decisions in writing.”

It’s important to keep the information technology landscape intact after a cyber hack. “Preserve the IT environment if you can. If you do not have a system backup, you may be required to reconstruct the databases. And doing that reconstruction means you’ve lost a lot of the server log information,” Balow noted. “That historical information can be used to help understand what happened and understand how many individuals were affected.”

The impulse to shut down a computer and restart it could further complicate a cyber situation, according to Brian Warszona, Vice President, Cyber Specialist for Willis Towers Watson. “You really don’t want to do something when you’re not even sure what it is. It could just be a computer glitch,” he said. “Don’t panic; consult with your company’s designated response-plan quarterback.”

A rush to judgment can be pointless, especially since not all cyber incidents trace back to hackers. “How did the bad guys get into the system? Did they even get into it? Was it a misconfiguration of code? It comes down to how quickly we can make a determination, preserve the evidence and do what’s necessary to limit the operational impact on the organization,” Hardin said.

Meanwhile, cyber-attack 'rehearsals' can good practice to stay prepared. “Let’s say a company is concerned about a ransomware demand. The response team, along with outside legal counsel, could do a few tabletop exercises to see if there are any vulnerabilities in the process,” suggested Warszona.

Having procedures and policies in place before a cyber disruption is just as important as training the workforce on the cybersecurity action plan. Observed Balow, “A data security protocol is not ‘nice-to-have’ anymore, it’s must-have.”