Infosecurity Europe
4-6 June 2024
ExCeL London

Learning from Past Incidents to Boost Cyber Resiliency

Winston Churchill once said, “Those that fail to learn from history, are doomed to repeat it,” and it’s a mantra that applies to all areas of life, including cybersecurity.

In cybersecurity, it is recognised that learning from major cyber incidents is critical for enhancing defences and responding to attacks.

During the Infosecurity Magazine Spring Online Summit 2024, Ramona Ratiu, Head of CTTX - Cyber Tabletop Engagements at Zurich Insurance, noted that “learning from past cyber incidents is crucial for improving incident response plans going forward.”

A Poor Track Record of Learning from Past Incidents

Traditionally, organisations have not been open and transparent about cyber incidents they experience, often attempting to cover up the impact due to concerns over reputation, and ultimately, consumer and investor confidence.

A report by Keeper Security in September 2023 found that nearly half of cyber incidents are not reported by victims.

This reticence been demonstrated on numerous occasions. For example, in October 2022 former Uber CSO Joe Sullivan was convicted of federal charges for illegally covering up the theft of Uber drivers' and customers' personal information in 2016.

Sullivan apparently told a subordinate that information about the breach needed to be “tightly controlled” and that the public story was to be that “this investigation does not exist.”

During a talk in 2023, Sarah Armstrong-Smith, Microsoft’s Chief Security Advisor, said the cybersecurity sector is generally poor at learning lessons and improving practices as a result.

“It doesn’t matter how many times we see these incidents, they continue to happen over and over again,” she stated.

Signs of Improvement in Incident Transparency

Governments around the world are placing obligations on organisations to improve their transparency around cyber incidents. In 2023 for example, US Securities and Exchange Commission (SEC) adopted new rules requiring publicly listed firms to disclose serious incidents within four days.

There is also a recognition that amid surging cyber-attacks, embracing transparency during and post incidents can even be beneficial to victim organisations.

In an article advocating a ‘radical transparency’ approach, Dr Niklas Hellemann, CEO at SoSafe, said that talking about cyber incidents can help raise awareness of cybersecurity, helping internal and external people to spot cyber-threats and react accordingly.

Additionally, proactive communication can enable companies to maintain a degree of control over the narrative and reporting of a breach in the media.

This contrasts with the reputational damage caused if a company is revealed to have tried to bury news of an attack or deny it even happened.

Such a mindset is starting to take hold. In November 2023, University of Manchester CISO Heather Lowrie delivered a talk setting out how the institution approached remediation and recovery following the damaging cyber incident it experienced in June 2023.

In March 2024, the British Library was lauded for publishing a comprehensive report on the ransomware attack that shut down digital services and breached the personal data of Library users and staff in 2023.

The report included how the attack was perpetrated, the Library’s response and measures taken to prevent a similar incident occurring.

Such transparency provides valuable information for other organisations, particularly those in the similar sectors, to prepare for such attacks.

How to Learn Effectively from Past Events

For organisations that have experienced a cyber-attack, post-incident reviews are essential to understand how the attack occurred, security shortcomings and the effectiveness of the incident response plan.

Ratiu advised: “Have a formal process where you hold a post-mortem analysis after resolving a security incident.”

She added that to assess incident response effectiveness, organisations need to define metrics for success, then use those metrics to identify areas for improvement.

It is also vital that organisations collaborate with the wider community, participating in information sharing forums to learn from others’ experiences.

Following an analysis of public enquiries into major cyber events, Armstrong-Smith highlighted several common themes that if addressed, could substantially mitigate the impact of such incidents.

These include a lack of empowerment for first responders to make immediate decisions during an incident, and an expectation that every decision must be communicated from the top of the organisation all the way down. Both elements serve to delay vital action being taken to mitigate the attack early.

A key learning from this is to establish clear rules and processes about who is empowered and to what degree in situations that require immediate decisions to be taken.

Armstrong-Smith added that insights from internal and external cyber incidents should be used to create incident simulations that closely replicate real-world scenarios.

Most organisations’ crisis management exercises do not enable personnel to truly experience the impacts of attacks, she noted. Only through realistic training exercises can security teams truly understand what they are trying to protect and why.

Cyber-attacks continue to rise, and any organisation can fall victim. It is no longer acceptable to ‘cover up’ such events. Instead, they should be used as an opportunity for learning, and helping others practice for and mitigate similar style attacks.


Enjoyed this article? Make sure to share it!

Looking for something else?