Take a Deep Breath…and Be Thankful
Ah, Thanksgiving. Time to breathe, greet the holidays and revel in a few days off, time with family, and…what’s that call on your cell? “Suspicious activity? Someone accessing a server from where? When?”
So much for relaxing.
Wait. You can relax. You have a plan. You’re thankful for it, for the right people, and the right technology, and having them all hold hands and play nice, and you have qualified, credentialed eyes on glass. But that’s a prevention plan (which is great). What about a “when it happens” (incident) plan? You have one of those too?
Create an Incident Management Strategy
In many organizations, this is the most overlooked step: documenting the long-term strategy for incident management. It provides an opportunity to track and highlight progress over time. This also allows the incident management structure to get in front of other business units. Some of the items to consider in the strategy are:
- How do other business units within an organization interface with the incident management team?
- What is the maturity level for the tools deployed?
- What types of KPIs are being tracked and how often is the data compiled?
- What are the incident management program drivers and business requirements?
Incident Management Tabletop Exercise – Pretend it happened
The best way is “what if” scenarios, sometimes called tabletop exercises. The participants include technical resources and often executive leadership, legal, human resources, and other business partners. You want the right mix of individuals to respond to various scenarios that your team is being tested on. For example, if the scenario developed includes an insider threat, you will definitely want human resources to be involved. It's recommended teams conduct a tabletop at least twice a year to continue improving response efforts. It is also important to have at least one of those tabletops facilitated by an external partner with experience in Incident Response. This can help uncover unconscious blind spots. Tabletop exercises that are not only for technology teams are the best ways to ensure your organization is prepared at all levels of the organization for effectively managing a cyber security incident.
For example, your CFO is on vacation in Europe for a few weeks and has “spotty” grid access for part of it. Your accounting gets an email from him requesting a wire transfer to a familiar consulting firm. Are you sure it’s from him? What’s the plan to be sure? Or say your HR manager opens an email from a potential hire and it turns out to be ransomware. After the fact, what do you say to the media? Many organizations find the courts and regulatory bodies asking questions like were reasonable controls in place? Was the breach foreseeable? Did you react in a reasonable timeframe? Did you follow established procedures? (There’s your plan again). The FTC and SEC are getting more and more involved post-breach and are asking questions around issues such as: incident response plans, playbooks, how often these are tested, showing the results of those tests and how you are addressing gaps, etc. Many of these questions can be addressed with an established information security program, the effective use of third-party resources specifically trained in cyber security incident response and operationalizing crisis management at the enterprise level. Document, document, document. There is no such thing as too much detail here.
The reality is that when it comes to breaches, chance is always a factor. But ask any prepared organization what their secret to success is, and they won’t tell you “we just got lucky.” Preparation, planning, execution, and knowing your team is ready gives peace of mind like nothing else.