Law firm Russell McVeagh’s information communication and technology (ICT) team has published a booklet Cyber Attack Tookit, billed as a step-by-step guide on how to prepare for and respond to a cyber attack. It covers the roles and responsibilities of a cyber response team, the eight steps towards cyber attack preparedness, the technical response, managing external communication and making or defending legal claims.
The firm says responsibility of cyber attack prevention and cure should not lie solely with an organisation's IT department, or with IT providers. Rather, management teams should understand the risks and have devised and implemented an appropriate cyber resilience programme across their organisation.
It lists the eight steps towards preparedness as being:
• making an inventory of critical IT assets;
• assessing the risks and understand the practical impacts of a cyber attack;
• setting the standards and determine the standard of reasonable protection;
• doing a gap analysis of current practice;
• ensuring appropriate documentation and contractual arrangements are in place;
• making and implementing a plan to rectify current deficiencies;Read more: NZX COO Mandy Simpson to head new cyber security centre, Cyber Toa
• planning for an attack;
• testing organisational response and continually adapting to changing circumstances.
The 'How to respond' section of the booklet details 'three 'C's of a cyber attack response': Correct, Communicate, and Claim. Advice includes how to leverage contractual rights, who needs to be advised (and what and how they should be told), and then after the dust has settled, how to determine what kind of claim an organisation may be able to make (and what claims may be made against the organisation).
Tom Maasland of Russell McVeagh's ICT Practice Group said the toolkit would be an evolving document. “With the continual acceleration of technological change, we all need to continue to assess, adapt, and prepare,” he said. The toolkit is available at no charge by emailing firstname.lastname@example.org.