28
| VIEWPOINT
• Ask staff to ensure that their passwords are unique to the company's business system and are not used elsewhere. • Make sure that passwords are strong. NCSC recommends a string of three random words, although other organisations recommend using nonalphabet characters and numbers within the password. • If multi-factor authentication is enabled, it should be checked to ensure it is properly configured. • Review user accounts and remove any old or unused accounts, particularly those for people who have left the organisation. Where an account has privileged or administrative access, particular care should be taken to check who uses that account and whether the special rights are justified. Where privileged access is used for sensitive information or resources, consider whether additional access controls should be required, such as multi-factor identification. Managing incidents Cyber-attacks can be subtle, such as a phishing exercise, or a full frontal ‘denial of service’ attack. The first line of defence
Rail Professional
is to make users aware of potential cyberattacks and what to look out for. However, if the organisation's defences are breached, there should be an incident response plan available to manage and mitigate the effects. The IT and management teams should: • Review the incident response plan to ensure it is up to date and fit for purpose. • Confirm that the escalation routes and methods of contact work, particularly in the case of a cyber-attack taking out key systems. • Ensure there is clarity on who has authority to make key decisions on a 24/7 basis. • Ensure that back-up and recovery systems function as intended. • Undertake a table-top ‘war game’ to check that the relevant systems are able to be deployed and work correctly. If this is not the case, they should be updated ASAP. Prevention is better than recovery Protection against a cyber-attack is only as strong as the weakest link in the system. As data and access to data become more important to the operation of the rail
system, it is important that the correct levels of protection are provided. Systems should be backed up regularly (and checked for correct data recording), a copy kept offline and the restoration process fully understood. The next cyber-attack could be a simple click away, so now is the time to check that your system is as secure as it can be and that procedures are in place in case the worst does occur.
Martin Fleetwood is a Consultant at Addleshaw Goddard’s Transport practice. The Rail Team has over 30 lawyers who advise clients in both the private and public sectors across a wide range of legal areas. As well as contractual issues, the team advises on operational matters, franchises, concessions, finance, regulatory, property, employment, environmental and procurement issues. Disclaimer: This article is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.