When you think of recent breaches, you wonder about the company’s preparedness and how they handled the communication process with customers, employees, regulators and the government. Today, cyber risk is a real challenge and it should be treated as a business issue rather than a technology issue. No data breach should come as a complete surprise; rather, as a foreseeable event for which you are completely prepared.
Most companies already have a strategy in place for handling a crisis and managing the communications process with stakeholders mentioned above. CEOs and their leadership teams are also familiar with dealing with the ambiguity of making quick decisions and taking calculated risks.
In the hyper connected world, our businesses are operating 24/7, 365 days a year, hence it’s foreseeable that we will come into contact with threat actors looking to steal data or penetrate the systems, disrupt it, or destroy it in a matter of minutes. The impact can also be long lasting, and you may not know who has access to your valuable data, where it is, or what has been done with it until days, months, or worse even years later.
When looking at recent breaches the same reoccurring pattern has emerged. Poorly planned communication strategies were executed, and the behind-the-scenes view had everyone drop what they were doing. Critical services were also shut down with no proper and effective way to deal with the breach.
It is entirely understandable to want to explain the nature of the breach or incident, what is being done or will be done to remediate the issue. But when it comes to any cybersecurity related issue, it is essential that we take into account the need to notify external and internal parties, while making sure the details of the incident are factually accurate and up to date.
Cybersecurity calls for guiding principles which are necessary when determining how stakeholders will be informed about a breach, and how they will be provided with more information as more data is analysed until it paints the big picture about the incident.
Crisis management is never easy—and cyber crises are uniquely challenging. In fact, many cybersecurity breaches are discovered by a third party and/or leaked to the media, hence company executives end up waking up to the news.
That’s the moment when the clock starts ticking. Everyone needs to take their places and act straightaway. It’s all in the plan, right? At least, it should be. Broadly speaking, today’s typical cybersecurity crisis plan includes:
- A very clear list of instructions about how to detect, respond, and prevent any further material damage to the organisation;
- Communications priorities, channels, and messaging—for customers, employees, investors, business partners, regulators, law enforcement, the board of directors, and others;
- Specifically assigned roles and responsibilities; and
- Carefully plotted escalation paths.
Still, companies need to take that plan to the next level. Ask yourself:
- How well has your plan been tested?
- Has it been workshopped across multiple scenarios?
- Have you run your plan through mock trials?
- Is the plan even up to date?
Here are some basic steps to make your planning more dynamic and effective:
- Establish a procedure that will help keep the crisis-management plan current and always relevant.
- Test the plan and train people with mock drills—even run the board through a mock drill.
- Inject different scenarios into the basic plan. For instance, say you’ve been hit with ransomware and, on top of that, your chief information security officer has met with an accident, to borrow a phrase. Then what?
- Workshop all the different ways in which a breach could impact your business. What if your intellectual property is stolen? What if you cannot get access to your data or systems? What if your organisation’s valuable data is destroyed? Or if your e-commerce sales are knocked off-line?
- Explore all the machinations of the way your business operates day-to-day—that’s what you need to plan for, with a continuity plan that is also tested and rehearsed.
- Break it down even further. What critical systems does your business rely on, how are they interconnected, and what are their dependencies? If your response team is busy turning off exposed systems, then, effectively, your business may no longer be operating.
- Be very sure of your continuity plan. If it’s virtually covered in dust, it may also be filled with dated information about old systems and the contact details of long-gone response personnel. And what if the only contact numbers you’ve got are for the Monday-to-Friday 9-to-5 desk phones? That may sound funny, but it happens.
Preparation takes time, and no one ever picks their team the day of the game. This concept applies to cyberattacks. Understandably, you’ve got business to conduct, but all of this can suddenly stop.
So, ask yourself: How cyber prepared are you today? Organizations must ensure all stakeholders know what to do when a breach happens. The time is now!
This is a Security Bloggers Network syndicated blog post authored by Sean Duca. Read the original post at: RSA Conference Blog