Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: Ukraine’s responses to Russian cyber attacks remind us of the value of an incident response plan, why DuckDuckGo is not as privacy-centric as you might think, and why paying a ransom may only mean you’ll be paying one again, and sooner than you may think.

This week’s action: Reduce the need for an incident response plan by writing one.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from or wherever you get your podcasts.



1: Russian cyber attacks against Ukraine may have succeeded, but their impact was minimised

The Register recently reported on the opinions expressed by cybersecurity leaders at a recent RSA security conference. The article discusses how “the Russians have seen success worldwide penetrating networks and dropping malware [..] However, the Ukrainians are able to rebuild the networks within hours [..] They’ve got backups ready to go, and they can rebuild it very quickly and very efficiently. And that’s something we don’t practice here. [..] Ukraine has also provided an on-the-ground view of how to do incident response amid falling bombs, blackout conditions and blocked IP addresses.”

It’s a reminder that your cybersecurity defences aren’t just about blocking an attack. They are also about minimising the impact of a successful attack.

Read more: via

2: The value of an incident response plan

And that first article brings us to the topic of Incident Response Planning.

This short article by the National Law Review in the USA explains why an Incident Response Plan is so valuable, and the key elements of such a plan.

As the article states, an effective Incident Response Plan “can

  1. strengthen your business’s data security prior to an attack,
  2. facilitate an effective response to any attack,
  3. speed your company’s recovery from an attack and
  4. help shield it from legal exposure in the event of follow-on litigation

The article goes on to describe the key elements of an IRP, including:

  • Identifying who will be on the incident response team
  • Which key external vendors you will need (e.g. for the IT investigation, insurance assessment, and legal representation), and
  • The key things you will do in the initial hours of your response.

I discuss Incident Response Planning in this week’s action below.

Read more: via ISACA SmartBrief

3: DuckDuckGo: The privacy-centric search engine that ain’t so private

TechCrunch reports on a recent revelation about the DuckDuckGo search engine. If you haven’t heard of DuckDuckGo, it sells itself as the privacy-centric search engine which should be used by anyone who is sick of being tracked online. Unfortunately, a Twitter user and DuckDuckGo auditor, Jack Edwards, has found evidence to suggest they have removed some bricks from their Impenetrable Wall of Privacy, enabling Microsoft’s LinkedIn and Bing platforms to still track you.

We all have different views on privacy and we draw the lines in different places. But for an organisation that sells itself as privacy-centric to be caught carving out exceptions for preferred partners is disappointing. DuckDuckGo may Duck their responsibilities here by saying the deal with Microsoft had been announced, but it doesn’t matter if this deal was in the public domain. I am sure DuckDuckGo users would Go elsewhere if they knew their perception of the service is different from the reality.

To top it all off, I actually think the core DuckDuckGo service isn’t that great. I find the relevance of their search results to be very hit-and-miss. I personally prefer StartPage, another privacy-centric search engine (although perhaps that is until some researcher finds flaws there too).

Read more:



1: 80%

80% of organisations that paid a ransom as a result of a ransomware attack were hit by ransomware a second time. This is according to a study by Cybereason (a cybersecurity vendor) and based on the responses of 1400 cybersecurity professionals.

2: 68%

According to the same study, of the 80% of victims that experienced a second ransomware attack, 68% of them suffered the second attack within one month of the first attack, with the attackers demanding a higher ransom the second time around.

As Mike Parkin of Vulcan Cyber is quoted as saying: “The bottom line being that once an organization suffers a successful ransomware attack, they need to up their game so it doesn’t happen again. [..] Because it will happen again. While [the victim] may not admit to the public that they paid a ransom, you can bet the attacker told their peers about it, which just makes the victim more of a target.”

When we think about the impact of a cyber attack on our business, we usually focus on the business disruption and emotional stress that would arise from one attack. I’m not sure many of us want to even think about the distruption and stress of a chain of ongoing or recurring attacks.

Read more: via ISACA SmartBrief



1: Reduce the need for an incident response plan by writing one.

Following on from the article in the National Law Review, it’s time for you to think about your Incident Response Plan.

You might think that the benefit of a response plan is to reduce the impact of an attack, because you will know how to respond to an attack – The clue seems to be in the name.

However, by working on the response plan, you naturally identify things you can do now to reduce the likelihood of a successful attack.

Here’s an example:

  1. Think about what you will need to do if a staff member tells you that they may have been fooled into revealing their password to their email account. It is likely to include the following:
    1. You will need to see what the criminals did while they were able to access the employee’s account. This will probably be difficult as the system may not record logs of activity, beyond who logged in and from where. You won’t know how long they were logged in and what they did while they were there. So, you will need to assume the worst – The criminal downloaded all of the employee’s emails and now has a permanent treasure trove of knowledge about your organisation, its employees, clients and suppliers.
    2. You may need to report it to your data protection regulator (in Ireland, the DPC) because this treasure trove contains a lot of personal data.
    3. You may need to warn your clients and your suppliers that they can’t trust emails that seem to be coming from your organisation anymore, because the criminals have significant knowledge about who is who.
  2. When you think about the implications, and how the likelihood of an attacker gaining access to an email account is significantly reduced by requiring the use of Multi-Factor Authentication across all of your online accounts, you will (hopefully) implement MFA wherever possible.
  3. Once MFA is in place, your response plan for this type of incident will be very clear and simple. The impact of such an incident should also be minimal, as the exposure of a password will not be sufficient for a criminal to gain access to the account.

So, strangely enough, by working on the incident response plan, you may reduce the need for the plan because your additional defences will reduce the likelihood of an incident.

Take five minutes to read the National Law Review article, and get writing. I have also written about Incident Response Planning in the past, so search for some pointers. My free guide to the basics should also help.

If you want tailored guidance or need someone to lead you through it quickly, just get in touch.