10c. Discipline

One of the clearest examples of discipline in the BL's post mortem is its methodical approach to incident response. From the moment the attack was detected, the organisation followed a structured escalation process, where the intrusion was first identified as a major incident by member of the Technology team, invoking the Technology Major Incident Management Plan and later the Crisis Management Plan was invoked by the Business Continuity Manager. The Accounting Officer and Chief Officers were contacted and informed, and later the Gold Crisis Response Team were called by Whatsapp video call as the internal email was out of commission. These predefined procedures ensured that key decision-makers were informed, external cybersecurity specialist were engaged and the Information Commissioner's Office were notified within statutory deadlines.

Discipline is also evident in the way BL handled communications during the early stages of the attack. Misinformation of premature statements can make matters worse. No doubt the BL has procedures for controlling information that gets out while still ensuring that staff, users and stakeholders receive a timely and accurate updates. BL followed NCSC guidance, balancing transparency with the need to avoid providing useful intelligence to the attackers. (I wonder what kind of information the BL can share that would aid the attackers? The Post mortem isn't clear on this) Without discipline, they could have reacted impulsively or share unverified details.