Reconnecting to an organisation that has had an incident

The CISO Lens community has collaborated to produce these eight core questions they ask of their suppliers after an incident. We are providing them here as a resource: 


When an organisation experiences a cyber incident, a common response by their enterprise customers is to sever connections in case the cyber criminal is still embedded and potentially able to use connections to compromise additional organisations. Disconnecting digital connections, including blocking or quarantining emails from the victim organisation's domain, can have serious business workflow consequences to the customer organisations so it is never done lightly.

We’ve seen this scenario - cyber criminals moving from organisation to organisation - play out many times, so disconnecting is widely viewed as a prudent first step. Additionally, the decision to disconnect often needs to be made very quickly. 

What often follows disconnection is the victim organisation then being bombarded with hundreds of questions from its enterprise customers who are seeking assurances that reconnecting is safe so they can resume business processes. They want to reconnect, but they also want to know their enterprise will be safe. 

As the trend of supply chain breaches continues, we think it’s important to help both victim organisations and their customers simplify the assurance process.

Eight core questions enterprise customers will ask before reconnecting. 

1.            Have you engaged expert digital forensics and incident response services?

2.            What steps have you taken to contain the incident?

3.            Have you contained the incident?

4.            Have you evicted the threat actor from your environment? (If yes, how do you know?)

5.            Do you know if any of my data has been accessed or stolen?

6.            Are you experiencing, or do you anticipate, any data or system integrity or availability issues

7.            What steps have you taken to reduce the threat of future compromise?

8.            Can you provide evidence to support your responses to the above questions?

If your organisation is going through a cyber security incident, we encourage you to contact:

Australia: the Australian Cyber Security Centre

New Zealand: the National Cyber Security Centre