IT GOVERNANCE USA | GREEN PAPER

Cyber Incident Response

Management

A beginner’s guide

Protec Protect Comply Thrive

IT GOVERNANCE USA GREEN PAPER | JULY 2021
Introduction
For today’s organizations, which rely heavily on technology and the Internet to do
business, cyber attacks are a very real threat. Worse, the cyber threat landscape is
complex and constantly changing. For every vulnerability fixed, another pops up, ripe
for exploitation.
Virtually every organization holds valuable information, often in huge quantities, so
everyone is a target. It should therefore not come as a surprise that, according to a
2020 Mandiant report, 53% of attacks successfully infiltrate without detection.1 Those
attacks may include simple phishing emails, but even the most basic attack, if
executed successfully, can wreak havoc if you are not prepared. Just look at Colonial
Pipeline: It only took one compromised password to shut down the largest US fuel
pipeline.2
What exactly is a cyber incident?
NIST defines a ‘cyber incident’ as follows3:
Actions taken through the use of an information system or network that result in
an actual or potentially adverse effect on an information system, network, and/or
the information residing therein
Broadly speaking, this translates to four types of incident:
1. Attempts to gain unauthorized access to a system and/or data
2. Unauthorized use of systems for storing or processing data (such as data
exfiltration)
3. Unauthorized changes to a system’s firmware, hardware, or software
4. Malicious disruption and/or a denial of service
2
For the purposes of your incident response plan, you may want to come up with your
own definition for a ‘cyber incident’ that better suits your organization and business
goals, but the NIST definition should provide a good starting point.
Related terms
The term ‘cyber incident’ is often used interchangeably with the term ‘data breach,’
which is actually a subset of a cyber incident. In a data breach, the confidentiality,
integrity, and/or availability of data has been compromised.4 Where the data in
question identifies or can identify a specific natural person, this is referred to as a
‘personal information breach.’
The term ‘cyber incident’ is also frequently confused with a ‘cyber event,’ which is in
fact a superset of an incident. A cyber event is any observable occurrence on a
computer that might be recorded in an event log. Many of these are completely
ordinary, everyday activities, like receiving a file or logging in to a user account.
However, it is important to know what ‘normal’ looks like, so you can put a system in
place that alerts you to ‘cybersecurity events’ – anomalies that may signify a cyber
incident or security breach (e.g. a login from an unexpected geographical area, or a
large quantity of data leaving your systems). Clearly, without having a way of
identifying potentially suspicious activities, it will be difficult to find out whether you
have suffered an incident, making it harder – if not outright impossible – to initiate an
effective response.
IT GOVERNANCE USA GREEN PAPER | JULY 2021
The consequences of an incident
Experiencing a cyber incident or data breach is more likely than you might think.
Earlier, we saw that 53% of attacks successfully infiltrated without detection during
2019. However, since those statistics only account for incidents that have actually
been identified (and before the COVID-19 pandemic, it took companies an average of
207 days to identify a breach5), it is probable that the true number is considerably
higher.
When your organization is breached, the consequences are typically threefold:
financial, operational, and reputational. However, the latter two clearly contribute to
the cost of an incident. A 2020 report found that globally the average cost of a breach
amounted to $3.86 million.6 Nearly 40% of the total cost comes from lost business
opportunities, which can be caused by anything ranging from server downtime to staff
having to remediate the effects of the breach, rather than get on with their usual
tasks.
The reputational impact – and, by extension, the financial impact – will vary
depending on a number of factors, including but not limited to the following:
• Whether you attempted to cover up the incident or were transparent about the
fact it happened, and what steps you were taking to mitigate its effects and
prevent recurrence.
• The number of records breached and/or duration of service unavailability.
• How preventable the incident was (did a skilled hacker penetrate your systems,
or did you fail to patch known vulnerabilities?).
• How long it took you to discover the incident.
• Whether you discovered the incident yourself (this did not happen for 38% of
breached North American organizations in 20197).
• The level of regulatory action (if any). This could be in the form of fines or class
action lawsuits.
3
• Whether you have suffered an incident before (which is made worse if the
previous incident was relatively recently in the news)
Several of these factors can be mitigated if you have effective measures in place,
including for incident detection and response.
Case study 1: WannaCry
In May 2017, more than 200,000 computers across 150 countries were infected with
the ransomware worm ‘WannaCry,’8 including FedEx in the US, French Renault plants,
the Russian Ministry of Internal Affairs, Taiwan Semiconductor Manufacturing
Company, and many more. Among the most affected organizations, however, was the
UK’s National Health Service (NHS), with up to 70,000 devices affected in at least 80
(out of 236) NHS units.9 As a result, more than 19,000 operations were cancelled, and
the overall attack cost the NHS an estimated £92 million (about $127 million).
As the NHS was so heavily affected, and the incident so well-covered (including by a
government investigation with a publicly available report), we can learn a lot from the
organization’s experiences. As such, this case study focuses on the NHS.
One big reason the NHS was heavily impacted was about 5% of its IT estate still used
Windows XP, which Microsoft had stopped supporting in April 2014. (Best practice
dictates that unsupported firmware, hardware, or software must be removed or
replaced.) However, the use of an out-of-date operating system was only part of the
reason the NHS was so badly affected by WannaCry. There was also a lack of effective
incident response procedures.
While the NHS had an incident response plan, it had not been tested at a local level,
so individual units were not sure about what actions to take, resulting in inconsistent
responses such as the incident being reported to different bodies.10 At a national
level, NHS England had not practiced responding to a major cyber attack (as opposed
to incidents confined to a particular geographical area), so spent more time than
IT GOVERNANCE USA GREEN PAPER | JULY 2021
strictly necessary analyzing the problem before it could coordinate any kind of
effective response. In such a situation, every minute counts – not just because the
self-replicating worm is rapidly spreading, but also because a continued disruption in
providing health care can cost lives.
The UK government conducted an independent investigation, and was transparent
about the lessons learned and its plans to make the NHS more cyber secure. One of
the most notable actions was introducing a new security standard that all
organizations that access NHS patient data and systems must show they meet by
submitting an annual assessment.
Case study 2: LockerGoga
In March 2019, Norsk Hydro (Hydro), a large aluminum and renewable energy
company, suffered a LockerGoga ransomware attack that disrupted its operations on
a global scale, affecting 170 sites across 40 countries, and ultimately cost it in the
region of 550–650 million NOK (about $62–73 million).11
In spite of this financial cost, the operational disruption, and a clean-up that took
months to complete, Hydro did not merely avoid reputational damage – it arguably
improved its reputation, with its response being widely described by law enforcement
entities as “the gold standard.”12 This praise was largely given in view of Hydro not
paying the ransom – in fact, it did not even communicate with the attackers to ask
how much they wanted – and being transparent about the fact it suffered an attack
and what actions it was taking in response. It also communicated with the appropriate
national and international authorities.
However, that is not all that should be commended about Hydro’s response. The
company was able to rely on a fallback – “work-intensive workarounds and manual
procedures” – to keep certain business areas “close to normal despite the attack.”13 It
was hardly ideal, but it worked, particularly as a temporary measure. Importantly,
Hydro gave itself an alternative to paying the ransom.
4
As part of Hydro’s remediation actions, it reviewed and cleaned all its computers and
servers, and safely restored them, using backups, in line with appropriate guidelines.
Note that such a restoration can only be done if you have the foresight to run backups
at an appropriate frequency – a point we will come back to later in this paper.
Hydro also reorganized its security team to better detect and respond to future
attacks – a clear sign of incorporating lessons learned. Finally, the company noted that
it has “robust” cyber insurance in place – something that is not possible without
assurances to the insurer that the policyholder has put adequate security measures in
place.
A note on ransomware payments
Many organizations that find their data or computers locked by ransomware are
tempted to pay the ransom to both be able to return to business as usual as quickly
as possible, and likely end up with a smaller bill – at least, in the short term.
There is, however, good reason that law enforcement entities urge organizations
not to pay. For a start, you would be relying on the goodwill of the attackers – who
were prepared to commit the crime in the first place – to provide the decryption
key and not keep a copy of any data they stole. Organizations that have paid once
are also much more likely to be targeted again. On top of that, the ransom
payment likely encourages and finances future criminal activities.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 5

Mitigating the risks
At the end of the day, the best cure is prevention. Preventing incidents from
happening in the first place is the only guaranteed way of avoiding the damage and
costs associated with them altogether.
Detective measures are designed to alert you to anomalies that may signify an
incident – after all, you cannot react to an incident if you are not aware of it – while
responsive measures aim to mitigate the damage and get you back to business as
usual as quickly as possible. Together with your preventive measures, you can create a
multi-layered defense system that will enable you to mitigate the risks effectively.

Achieving this is easier said than done, however. If a skilled attacker is determined to
find a way into your systems, given enough time, effort, and resources, sooner or later
they will probably succeed. That said, the vast majority of cyber attacks are launched
by unskilled attackers, attempting to exploit publicly known vulnerabilities by using
automated software created by more skilled criminal hackers.

The vulnerabilities they try to exploit are often relatively straightforward to fix with
basic technical controls such as anti-malware software and patching. However, failure
to implement them can have dramatic consequences – the WannaCry attack and its
international repercussions is but one example.

Many other incidents are accidental, which are, by their very nature, avoidable. Often,
they are caused by carelessness or ignorance, like sending data to the wrong recipient
or falling for a phishing email. In both scenarios, the cause of the breach – human
error – can be addressed effectively with staff awareness training.

Of course, there is much more to prevention than this. For more detailed information,
take a look at our Cybersecurity and Business Resilience – Thinking strategically paper.

However, on the basis that sooner or later a determined attacker will break through
your preventive measures despite your best efforts, you should take action now to
ensure you can respond swiftly if and when you suffer an incident, enabling you to
minimize the damage. Those preparatory measures should come in two main forms:
detection and response.
IT GOVERNANCE USA GREEN PAPER | JULY 2021
Incident response plan
A crucial part of cyber incident response management is having an incident response
plan, which should at least include:
• Roles, responsibilities, and dependencies
• Senior management support and ownership
• What your organization considers a cyber incident
• Classifications for different severity levels
• Escalation procedures, including a reporting process
• Authorization for shutting down business-critical activities
• Compliance and reporting requirements
• References to step-by-step instructions for playbook scenarios – since it is
impossible to cover every type of incident in the plan itself, it should be
supported by different playbooks that detail the actions to take for specific
incident types, which the plan links or refers to
6
While incident response plans are not uncommon, it is important to ensure they
account for cyber incidents as well as physical ones; otherwise, you will struggle to
deal with the characteristics that are unique to cyber incidents, like not being
geographically bound. As the NHS in the UK experienced with the WannaCry attack,
that characteristic, particularly if you are unprepared for it, can make it difficult to
identify cause or assess the incident’s full impact.
Having said that, be aware that cyber incident response management is not just an IT
function. Like any type of incident management, it is a business function that impacts
– and should therefore involve – a wide range of stakeholders, from both internal
departments and external bodies.
Another vital point is to test your plans on a regular basis – we recommend testing
them at least annually and after any significant changes. Testing does not just
highlight any flaws and give you the opportunity to fix them (or confirm that your
plans work), but will also familiarize staff with the plan and train them to respond as
efficiently as possible. This will avoid situations like WannaCry, when local NHS units
were unsure of the correct procedure due to a lack of exercise, so initially reported
the incident to different bodies, which delayed the start of an appropriate and
coordinated response.
More to the point, panicking when first becoming aware of a (possible) incident is a
very human response, and may lead to the wrong decisions being made. The only way
to combat that risk is by training staff, so they know what to do, even when under
pressure.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 7

Incident response process
Some incident response plans also include a high-level incident response process
(such as Figure 1 below, but you can, of course, draw on any recognized framework
like NIST SP 800-61 or ISO 27035). This can help create step-by-step playbooks for
incidents particularly likely to occur, or that would be especially stressful and
complex to handle. A high-level process can also help in situations not covered by
any playbook scenario.
Detect
Note that you do not need to have the necessary expertise internally to complete
each step. In fact, it is often more cost-effective to seek external help, not to mention
that it can also give you access to more experienced practitioners. Nonetheless, it is
important you know how to identify an incident and have a broad understanding of
the different stages in the response process, if only so you know when to call for what
help.
Whether you rely on internal resources or external expertise, be sure to document
the actions you take as you go through the steps of your response (when your plan
has been triggered). This will help you complete any necessary reports (e.g. to the
police or your insurers), as well as provide a useful resource when you review your
actions and plans, and incorporate improvements based on your experiences.

Triage The following sections will go through each of the stages in Figure 1. You may not
If applicable want to adopt all of these and/or add some not covered here, depending on your
Escalate organization’s approach to incident response.

Assess Report
Detect
False alarm

Remediate Unless you know that an incident has happened (or may have happened), you will not
be able to respond effectively, if at all. How you detect an incident will vary depending
on the nature of that incident – a stolen or lost laptop is quickest to discover via a
Recover staff report, for instance, while cyber attacks will likely require some form of security
monitoring. Where an anomaly is detected (multiple failed login attempts to a user
account, for example), an alarm is raised for someone to manually investigate.
Review
As mentioned previously, it is only possible for an anomaly to be detected if you know
what ‘out of the ordinary’ looks like. Equally, staff will only report an incident if they
Resolved
know what constitutes one and are trained to report it to the appropriate person or
Figure 1: A typical high-level incident response process
team.
IT GOVERNANCE USA GREEN PAPER | JULY 2021
Triage
Triage, which normally involves a manual follow-up to a cybersecurity event, needs to
occur as quickly as possible after the initial report. This process must establish
whether you are dealing with a false alarm or a cyber incident and, if the latter, how
to escalate it. It is important you document the process, showing how you reached
your conclusions and providing information you may need later.
Assess
If it appears to be an actual incident, you need to assess the situation to determine
what further steps you must take. What type of incident are you dealing with? What
systems and/or data have been affected? Understanding the nature of the incident
will help direct your remediation activities – for instance, if you are dealing with
ransomware, affected devices will need to be cleaned for malware and restored using
backups.
Depending on the nature of the incident, you may also need to act quickly to contain
the damage (for instance, if you are aware of an attacker moving through your
systems, you could force logout). Note the importance of planning ahead here: You
cannot force a logout, or complete various other containment actions, if you have not
enabled that feature in advance.
Where data has been breached, you also have legal reporting obligations to meet.
Within days or even hours of becoming aware of the data breach, you must establish
what data has been compromised, how sensitive it is, how many people are affected,
whether the data was encrypted, and other information that will determine the
impact of the breach. In turn, this will determine whether the breach is reportable.
8
Report
Where applicable, you need to report the incident to relevant stakeholders, such as
the FBI, regulators, insurers, partners, and customers. The FBI encourages victims to
report Internet-enabled crime for investigative and intelligence purposes.14 It also
points out that rapid reporting may help you recover lost funds. Where you have
regulatory reporting requirements, you must submit separate reports to the relevant
authorities.
Depending on the level of risk posed to affected individuals, you may also be required
to notify them directly. Supervisory authorities typically also encourage you to offer
advice about steps people can take to mitigate the risks they may face. This can
include, for example, a warning to be wary of phishing emails that fraudulently claim
to represent your organization, and a recommendation to change their passwords as
soon as possible.
If the breach is significant enough that you need to inform affected individuals
(whether they are partners, customers, or otherwise), you may also have to issue a
public statement and/or provide comment to the press.
IT GOVERNANCE USA GREEN PAPER | JULY 2021
Remediate
Now that you understand what you are dealing with, it is time to remediate the
situation and repair the damage. If you are dealing with malware, for example, you
need to eliminate every trace of it, and likely harden and patch your systems before
recovering them.
Business continuity
Particularly during the remediation stage, you may have to rely on workarounds to
keep production and/or service availability to acceptable levels. While the
approach Hydro took – relying on work-intensive, manual workarounds – worked
for them, it is not suitable for everyone.
It makes sense to consider your business continuity arrangements as you plan
your incident response. Consider which resources and activities are the most
business-critical, how severe the business impact would be if those
resources/activities were stopped or cut off, and how quickly that impact would
become unacceptable. Once you have established these things, use that
information to determine recovery time objectives and priorities, and what
resources are necessary to achieve those objectives.
Download our free
business continuity paper
9
Recover
Recovery is all about getting back to business as usual. At this stage, any trace of
malware or other cyber threats should be eradicated, meaning that systems and
backups can be safely restored (although it is sensible to test impacted systems before
connecting and using them as normal again). It is also a good idea to let users know
that everything is up and running again.
It is worth reiterating how important it is to think ahead: Your response plans,
prepared in advance, must outline what steps to take, and you must also ensure the
right technological measures have been implemented to make the execution of those
plans possible. Restoring backups, for instance, is only useful if you ran regular
backups before the incident happened.
Review (lessons learned)
After you have fully recovered from the incident, you should review your response
plans, procedures, and other measures to identify scope for improvement. This could
be to prevent a future occurrence of the same incident, or to improve your responses
in general.
For instance, an organizational equivalent of introducing the new security standard for
UK health care organizations might be to conduct annual security audits on key
suppliers. Or you might take note from Hydro, and reorganize your security team (or
choose a more appropriate external security provider) and review your cyber
insurance.
However you implement lessons learned, make sure you do review your actions.
There is no better way to improve, and gradually become a more secure and resilient
organization with time.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 10
10

Conclusion
Remember: Suffering a cyber incident is a matter of when, not if, but an effective
response can significantly reduce the impact. Achieving this requires you to think
ahead and put appropriate detective measures in place – after all, you cannot respond
to an incident if you do not know that one has happened.

Moreover, much like you cannot put a fire out if you do not have fire extinguishers or
sprinklers ready, an effective cyber incident response is out of the question if you are
not prepared with the right responsive measures. So, regularly back up your data, set
up remote wipe features, prepare any other necessary technical measures and
processes, and, above all, make sure staff know what is expected of them.

Speak to an expert
IT GOVERNANCE USA GREEN PAPER | JULY 2021
Useful cybersecurity resources
IT Governance USA offers a unique range of cybersecurity products and services, including documentation toolkits, staff e-learning, training courses, and professional
consultancy.
Cyber Resilience Toolkit
This toolkit contains a full set of easy-to-use, customizable,
and fully ISO 27001- and ISO 22301-compliant policies and
procedures for a complete cyber resilience management
system.
Cyber Security Complete E-Learning Suite
Ensure staff can spot and respond to cybersecurity and
privacy risks. Access all four of our cybersecurity staff
awareness e-learning courses and a game to train employees
on best-practice approaches.
Certified Cybersecurity Foundation Self-Paced Online
Training Course
Perfect for those looking to start their career in cybersecurity,
this course covers all aspects of cybersecurity at a foundation
level. Learn in your own time, at your own pace.
Cyber Health Check
This health check will provide you with a concise and detailed
report describing your current cyber risk status and critical
exposures, and will draw on best practice.
11
11
ISO 22301 BCMS Toolkit
Streamline your ISO 22301 compliance project with more
than 70 customizable business continuity templates for
policies, procedures, work instructions, and records.
Incident Response Management Foundation Training
Course
Learn how to effectively manage and respond to disruptions
and take appropriate steps to limit the damage to your
business, reputation, and brand.
Business Continuity Management Lead Implementer
Self-Paced Online Training Course
Learn how to implement an effective business continuity
management system (BCMS) that prepares your organization
for any disruption. Learn in your own time, at your own pace.
ISO 27001 FastTrack™ 20
This turnkey consultancy package is designed to help small
organizations with up to 20 employees reach ISO 27001
certification readiness in just three months for a fixed price.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 12
12

Other papers you may be interested in

IT GOVERNANCE USA | GREEN PAPER IT GOVERNANCE USA | GREEN PAPER

Cybersecurity and Business Continuity

Business Resilience and ISO 22301

Thinking strategically Preparing for disruption

Protect Comply Thrive Protect Comply Thrive

Cybersecurity and Business Resilience – Thinking strategically Business Continuity and ISO 22301 – Preparing for disruption
IT GOVERNANCE USA GREEN PAPER | JULY 2021 13
13

IT Governance USA solutions

IT Governance USA is your one-stop shop for cybersecurity and IT governance, risk Training
management, and compliance (GRC) information, books, tools, training, and
We offer training courses from staff awareness and foundation courses, through to
consultancy.
advanced programs for IT practitioners and certified lead implementers and auditors.
Our products and services are designed to work harmoniously together so you can
Our training team organizes and runs Live Online and self-paced online training
benefit from them individually or use different elements to build something bigger
courses all year round, as well as in-house training courses, covering a growing
and better.
number of IT GRC topics.

Visit www.itgovernanceusa.com/training for more information.

Books
We sell sought-after publications covering all areas of corporate and IT governance. Consultancy
Our publishing team also manages a growing collection of titles that provide practical
advice for staff taking part in IT governance projects, suitable for all levels of We are an acknowledged world leader in our field. Our experienced consultants, with
knowledge, responsibility, and experience. multi-sector and multi-standard knowledge and experience, can help you accelerate
your IT GRC projects.
Visit www.itgovernanceusa.com/shop/category/it-governance-usa-books to view our
Visit www.itgovernanceusa.com/consulting for more information.
full catalog.

Toolkits
Our unique documentation toolkits are designed to help organizations adapt quickly
and adopt best practice using customizable template policies, procedures, forms, and
records.
Visit www.itgovernanceusa.com/documentation-toolkits to view and trial our toolkits.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk management straightforward and affordable for
all, enabling organizations worldwide to be ISO 27001-compliant.
Visit www.itgovernanceusa.com/shop/category/software for more information.
 IT Governance USA is the one-stop shop for cybersecurity, cyber
risk, and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training, or software.

t: +1 877 317 3454

e: servicecenter@itgovernanceusa.com
w: www.itgovernanceusa.com

A GRC International Group PLC subsidiary

420 Lexington Avenue, Suite 300

New York, NY 10170, USA

IT Governance USA Inc.

@ITG_USA

/it-governance-usa-inc

@ITGovernanceUSA

© 2003–2021 GRC International Group PLC | Acknowledgement of Copyrights | GRC International Group Trademark Ownership Notification
Endnotes
1
Mandiant, “Mandiant Security Effectiveness Report 2020”, May 2020, https://www.fireeye.com/current-threats/annual-threat-report/security-effectiveness-report.html. Be aware
that statistics reporting on 2020 activity (2021 reports) will almost certainly be aberrant, with increased levels of cyber crime in response to the mass move to remote working, and
that 2019 figures (2020 reports) likely offer a more accurate reflection of the current cyber landscape.
2
William Turton and Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password”, Bloomberg, June 2021,
https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password.
3
NIST, “NIST SP 800-160 Vol.2”, November 2019, https://csrc.nist.gov/glossary/term/cyber_incident.
4
‘Confidentiality’ means that the data is only accessible to those who need access to it. ‘Integrity’ means that the data is protected from unauthorized modification, destruction, and
loss. ‘Availability’ means that the data is accessible to authorized persons as and when necessary.
5
IBM, “Cost of a Data Breach Report 2020”, July 2020, https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/.
6
Ibid.
7
Trustwave, “2020 Trustwave Global Security Report”, April 2020, https://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/.
8
Ransomware is a payload that encrypts or otherwise prevents access to the user’s files until a ransom is paid (usually in Bitcoin). In WannaCry’s case, the payload was transmitted
by a worm: a self-replicating program (i.e. a program that can replicate without user interaction) that can function without having to be embedded in another program. This
combination of characteristics allows worms to spread widely within a short space of time.
9
Robin Henry, Rebecca Myers, and Jonathan Corke, “Hospitals to struggle for days”, The Sunday Times, May 2017, https://www.thetimes.co.uk/article/nhs-cyberattack-bitcoin-
wannacry-hospitals-to-struggle-for-days-k0nhk7p2b; and National Audit Office (NAO), “Investigation: WannaCry cyber attack and the NHS”, April 2018,
https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/.
10
“Investigation: WannaCry cyber attack and the NHS”.
11
Norsk Hydro, “Cyber-attack on Hydro in brief”, October 2020, https://www.hydro.com/en-GB/media/on-the-agenda/cyber-attack/; Joe Tidy, “How a ransomware attack cost one
firm £45m”, BBC, June 2019, https://www.bbc.co.uk/news/business-48661152; and Reuters, “Norway says Norsk Hydro has been exposed to LockerGoga ransomware attack”,
March 2019, https://www.reuters.com/article/us-norsk-hydro-cyber-lockergoga-idUSKCN1R01KI.
12
“How a ransomware attack cost one firm £45m”.
13
“Cyber-attack on Hydro in brief”.
14
FBI, “The Cyber Threat“, accessed July 2021, https://www.fbi.gov/investigate/cyber.