Some US companies have trained specialist computer incident response teams (CIRT) to deal with such matters, or prepare SWAT teams made up of ad hoc IT staffers ready to move into action when an emergency strikes.
Such matters aren’t dealt with in such a sophisticated manner here, but New Zealand firms seem prepared for our apparently lesser threats.
CIRT teams are likened to a fire crew, trained to respond quickly to specific incidents with the aim of limiting damage and reducing recovery time and costs.
A CIRT may be activated by virus or hacker attacks, internal sabotage or even suspicious activity, such as repeated attempts to gain access to a system.
The Americans say organisations without a CIRT tend to suffer bigger costs from emergencies, and respond more haphazardly. They also pay a price in terms of reputation damage and lost customers.
The advice if forming a CIRT is to know your constituency. Decide which computers, address ranges and domains will be monitored for incidents. Know what services the CIRT will provide and to whom. Develop policies for when to disclose security breaches and when to report an incident to law enforcement agencies. And be sure to advertise contact information for the CIRT throughout the organisation.
You also need to figure out which department the CIRT should be in and who should head it. And a CIRT team will also need management support, because it may require cooperation among multiple departments, such as legal and human resources.
Maintaining a full-time incident response team can be expensive, so many organisations choose to have an ad hoc incident group that can come together quickly when needed.
CentrePort in Wellington has an IT department of seven; specialist response team duties are part of daily activities.
CIO Kerry Elton says the port has suffered no major failures or incidents and believes it has good systems in place.
The IT system undergoes three separate checks and has structures in place to determine the appropriate response.
An IT manager would typically project or incident manage any emergency, though it would soon come to Elton's attention.
The IT manager would authorise any shutdowns of equipment, and communicate what was going on.
A “handful” of specialist staff would then be assigned to the incident, depending on what it was and what types of skills were needed.
Human resources and legal staff may also be brought in, depending on the type of incident. For example, if a staff member brought in a virus, the HR team might deal with any disciplinary matters. If the source of a virus or hack attack could be determined, the lawyers would be called in to seek legal remedy.
Horizons-Manawatu Regional Council, similarly, has specialist people assigned to various roles as part of their normal duties.
IT manager Peter Ellery says the council has a rotating duty officer on call 24x7, who is the first port of call for any incidents.
IT systems are electronically monitored and the IT department would be paged if there was an incident.
If an incident is serious enough, Ellery is contacted. But typically the response would be by the person with the appropriate skill or expertise. The six-member IT department has a back-up system whereby one staffer will have 75% of the knowledge of the particular specialist who could also offer support.
The system saw the duty officer successfully notify the council's virus specialist during an outbreak last year, Ellery says.
The Palmerston North-based council claims few incidents, but it is always checking: 300 daily checks are made by the duty officer, and other weekly and monthly checks carried out.
Canterbury University has an IT department of 100 staff but, despite its size, has no formal response team.
The university subscribes to the AUSCERT early warning system, working with the organisation on detection of and dealing with warnings.
"There’s not a standard way of approaching things," says deputy IT director Robin Harrington. "It’s a combination of whatever is available and who has the appropriate expertise. Different people have different responsibilities. It depends on the systems as to who deals with it, but once they get into it, they will talk to each other."
Harrington says staff can stand in for others and claims Canterbury’s approach is “more responsive than a formal approach”.
However, the university recently suffered the failure of printers thanks to a virus entering its systems through a laptop computer.
Regardless of whether your response system is formal or informal, it will do no good if the plans and procedures just sit on a shelf. Conduct frequent drills and exercises, especially for ad hoc teams. Remember, it is a process that you have to do right, but hope you never have to use.