Resilience in action: Lessons from a cyber crisis

Being told your business has been the victim of a cyber incident is enough to drive fear into the heart of executives around the world, writes Incommunities’ executive director of business operations, Sara Sheard. 

Protecting against and being prepared for a cyber incident is a crucial, ongoing responsibility. But when you hear, “We have a problem, it looks like we’ve been hit with malware,” at 8.15am, you don’t have the luxury of time to let the news sink in. 

At Incommunities, we heard these words last summer, when a cyber attack resulted in all our internal, on-site systems being encrypted and made unavailable. The impacts of this attack were unsurprisingly widespread across all our services and departments, from customer experience to property services to finance. 

We had no access to customer files, and our call-handling capacity was massively reduced. Our teams had to move to providing a reactive service, addressing only emergency repairs reported by customers. Our finance systems were also impacted, meaning we couldn’t take customer rent payments over the telephone or pay suppliers and contractors. 

Fortunately, our cloud-based systems were unaffected, so we could still use email and key systems such as payroll and repairs scheduling. Our teams responded fantastically and quickly moved to back up procedures or found innovative solutions to keep operations running and ensure the impact was kept to a minimum for customers. 

We were able to put our emergency plan into action straight away, and our IT team acted fast and shut down all the servers to keep them offline and safe from any further attacks. The team informed senior leaders, our cyber insurance company, cyber forensics team, cyber response lawyers and the Information Commissioner's Office. Failure to inform ICO (Information Commissioner’s Office) within 72 hours would most likely have incurred a regulatory breach and financial penalty. 

We were also able to quickly stand up a business team of senior leaders, and that was a crucial approach to keeping everyone organised and making sure teams were communicated with, avoiding duplication and an influx of calls to our IT team, so they could keep focussed on the critical recovery activity. 

The impact was significant in the short term, and some areas of our business were affected for several months. Had we not been prepared for such an event, the disruption could have resulted in many more months of significant issues, including regulatory breaches and accompanying fines, reputational damage, and increased risk of fraud. 

The most significant area impacted was our telephone lines, meaning customers couldn’t get through to our contact centre. We had to make a swift and difficult decision to implement a new cloud-based contact centre, rather than restore the existing service which had been compromised. 

This option meant the call centre operations took longer to get back up and running, and we were operating for several weeks with no call data. But it has fast tracked work that was planned at a future date and made that service more resilient for the future. 

The recovery

One of the most powerful tools in our recovery was something that had been installed earlier in the year: an immutable storage device for corporate backups that can’t be overwritten. Given our other backups were all corrupted, this was essential for getting us back up and running, as well as keeping our data safe. 

The cyber forensics team provided as part of our insurance cover also had a crucial role to play, investigating the breach and offering guidance to IT colleagues to make sure that our recovery efforts were being conducted safely and securely as they began to restore and rebuild in incredibly challenging circumstances. 

As this careful work was underway, colleagues across Incommunities were needing to adjust and adapt to communicate with customers, partners, and suppliers. This involved dealing with backlogs of cancelled direct debits and complaints from customers experiencing delays with repairs. 

Had we not been prepared, the disruption could have resulted in many more months of significant issues, including regulatory breaches and fines

Keeping customers informed was key. We quickly initiated a major incident communications plan to provide clear and consistent updates across all our channels to all our stakeholders. Although we received some negative comments on social media, timely engagement, reassurance, and advice ensured these did not gather traction. 

Along with close teamwork across our departments, we received invaluable support from our external legal team, whose expertise helped guide our communications with colleagues, customers, and the press, as well as advising us on working with ICO. 

Thanks to the incredible hard work of our IT team and the processes we had in place, we were able to make swift progress in getting our systems back up and running. ICO were able to close our case after just three weeks, which is a testament to the progress we had made.  

Recovering from an attack such as this doesn’t happen overnight, but between workarounds in our customer service and finance teams and the speed with which we brought our systems back online, we were able to keep disruption to a minimum. 

Lessons learnt 

That doesn’t mean we haven’t learnt lessons from this experience. While we are proud of the way our teams responded, we realised that our business continuity planning could have been more effectively embedded throughout the organisation prior to the attack, something we are actively working on now. 

We were also aware that the effectiveness of our response owed a lot to the knowledge of key figures across our business, and that we need to improve our documentation and bring business continuity into the way we conduct succession planning to ensure this knowledge isn’t lost when people move on. 

While we recovered well from this attack, we aren’t resting on our laurels. Instead, we are examining what worked well and what can be improved upon. That’s the only way we can make sure we’re ready for whatever we might need to face next time; because every cyber incident is different, and the threats we face are ever evolving.