Too many companies are failing to respond to cybersecurity incidents with carefully-considered, strategic responses. Breaches can happen shockingly fast with little time to react but that’s no excuse for businesses to respond poorly.
In this digital economy, where businesses are operating 24/7, 365 days a year, cybercrime, cyberactivism, and cyberespionage can happen at an unprecedented pace, scale, and reach. Organisations can have data stolen, disrupted, or destroyed in a matter of minutes.
The knock-on effects of data breaches mean that cybersecurity is a business issue but many companies still treat it as an IT issue. This can leave companies painfully unprepared when an attack happens; yet that’s the time when it’s most important to act fast and get it right.
Most large companies at least have cybercrisis management plans in place that detail what needs to happen before, during, and after an incident. Yet, many companies still struggle to execute their responses effectively. Consequently, they see damage to their brand, company valuation, and sales.
The reputational fallout of a breach can do more damage than the direct costs of the attack. The impact can be long-lasting and companies may not know who has access to their valuable data, where it is, or what has been done with it until days, months, or even years later. That’s why cybersecurity should be part of the overall enterprise risk management strategy and addressed at the board level, which should include:
- a very clear list of instructions about how to detect, respond, and prevent any further material damage to the organisation
- communications priorities, channels, and messaging for customers, employees, investors, business partners,
- regulators, law enforcement, the board of directors, or others
- specifically-assigned roles and responsibilities
- carefully-plotted escalation paths.
To take this planning to the next level and make it more effective, companies also need to:
- establish a procedure for keeping the crisis management plan current
- test the plan and train everyone, including the board, with mock drills
- inject different scenarios into the basic plan that force people to consider how they would react if a key person wasn’t available or a key action wasn’t possible
- workshop all the different ways in which a breach could impact the business, such as intellectual property being stolen, access to data or systems being cut off, data being destroyed, or eCommerce taken offline
- explore how the business operates day-to-day, then create a continuity plan that is also tested and rehearsed
- consider what critical systems the business relies on, how they are interconnected, and what their dependencies are. If the response team is busy turning off exposed systems, then, effectively, the business may no longer be operating
- double-check every detail of the continuity plan, from software version numbers to phone numbers to make sure it’s completely accurate and up to date.
It’s entirely understandable to want to explain the nature of the breach or incident, and what is being done or will be done to remediate the issue. But when it comes to any cyber-related issue, it’s essential to balance the impulse to notify external and internal parties with making sure all statements are factually accurate and up to date.
The best course of action is to come forward with what you do know when you know it; and don’t deviate or embellish. Document everything along the way including how the incident came about, which systems were affected, what was taken, and how stakeholders were alerted. It also lets the business review the response, revise the plan and, unfortunately, prepare for another possible breach. Practice makes perfect.
Sean Duca, Vice President & Regional Chief Security Officer – Asia Pacific, Palo Alto Newtorks