Lives are regularly on the line for one growing aviation services company that operates around the world. Supporting customers in a wide variety of industries and locations, the organisation moves people, critical supplies and other assets to where they need to be. Whether it is helping first responders get to remote places, delivering life-saving medicines or simply transporting customers during the last leg of a journey, the company puts safety at the centre of its operations and services.
But when a ransomware attack brought the company’s operations nearly to a halt, that safety was threatened. Around the globe, key systems that the organisation relied on—to communicate, to plan, to schedule—became unavailable or unreliable, forcing its employees to find workarounds and quick solutions to support customers’ needs. But those solutions would have been unsustainable beyond a few days. The organisation needed to restore its critical systems quickly—to support new customer requests and ensure the ongoing safety of its operations. Rapid cyber incident response and recovery was crucial.
The ransomware attack, however, also revealed an array of gaps in the company’s overall cyber readiness—something that it would have to address so that it would be ready for the next potential cyber incident and become more resilient than before.
The company lacked the internal resources and talent that would allow it to quickly break free from the ransomware attack. Leaders needed immediate outside help and called on Deloitte’s Cyber Incident Readiness, Response and Recovery (CIR3) services for critical support for responding to and recovering from the incident.
Initial focus fell on halting the active ransomware threat while seeking out any additional threat actors or malware that might compromise the aviation company’s systems or data. Deloitte worked closely with the organisation to define the path forward during response and recovery—to help determine which systems and data were most important for restoring critical business operations and to quickly create a detailed plan for response. The collaboration required the company and Deloitte to quickly make decisions on which systems to take off-line, which systems to restore and how key processes should be performed—whether manually or automated, for example.
In addition to deploying CrowdStrike and other tools for incident response and remediation, Deloitte leveraged its tested cybersecurity playbooks and methodologies, as well as a team of over 70 practitioners worldwide to help the organisation restore normal operations at eight locations. That team included those in legal, crisis communications and core cyber incident management, working in unison to establish privilege, to ensure that stakeholders were kept up to date on the event and to perform the hands-on work of cyber incident response and recovery.
The ransomware was stopped quickly to allow critical business operations to continue. And over the course of the succeeding month, the incident was well behind the company, with all essential systems restored to pre-incident levels. But the organisation’s leaders wanted to transform cyber readiness for the entire organisation. To do so, they once again enlisted Deloitte’s CIR3 services to define a strategy, establish governance principles and protocols and select and deploy technologies that would help the company to enhance its overall cyber posture.
To make its transformation vision real, the aviation company worked with Deloitte to assess global incident readiness and security capabilities, identify requirements and create a multi-year strategy and roadmap. This included using Deloitte’s managed Operate services 24 x 7 security event monitoring, analytics, cyber threat management and incident response. Deloitte also helped the organisation develop an incident readiness governance framework, processes, playbooks and technology standards. Also on the technology front, Deloitte worked with the aviation client to build a new global firewall and network architecture, migrate core workloads to the cloud and deploy continuous threat hunting capabilities.
Today, with the ransomware attack well in the past—and with a transformed cyber incident response, recovery and readiness posture—the aviation organisation can operate with greater levels of confidence and trust, all to support the safety and expectations of stakeholders.
How will your organisation respond to and recover from its next potential cyber incident? And how will your organisation transform its cyber capabilities to help safeguard your business and stakeholders and build trust from end to end?
Discover how Deloitte’s Cyber Incident Readiness, Response and Recovery (CIR3) services can help your organisation face the future with greater strength and resilience. Contact us to get the conversation started.
Bryson Str - Partner, Deloitte Canada
Robert Bloomfield - Senior Manager, Deloitte Canada