Addressing a Breach Starts With Getting Everyone on the Same Page
The best incident-response plans cover contingencies and are fine-tuned in stress tests to ensure collaboration, remediation, and recovery efforts align.
Cyberattacks continue to rise, with a staggering 38% increase in global incidents last year. Attacks on digital identities are skyrocketing, cloud attacks are increasing, and ransomware continues to plague organizations in every industry. As the threat surface expands and the concept of a network "perimeter" becomes less and less defined, the issue is when a business will be attacked, not if it will be. That means businesses need to think not just in terms of prevention, but mitigation — and that starts with a plan.
Uniting Competing Priorities
There are a lot of competing priorities during a breach. The CFO will be concerned with the financial impact. The CMO and sales teams will be worried about reputation and customer messaging. The CTO, CIO, and other technology leaders will be focused on remediation, business continuity, and future prevention. Waiting until a breach happens to pressure-test the balance between those priorities isn't ideal. That means it's important to make a plan — several plans, in fact:
Business continuity plan (IT/finance). This should include specific instructions for recovery from a wide range of potential problems. Is a disaster-recovery process in place? Are there external providers or resources to contact? How can you get in touch with them? Are there backups that can be restored? Where are they, and who owns them? This plan should encompass all the necessary processes to ensure business continuity in the event of an incident.
Crisis communications plan (marketing/PR). It's critical to have a plan that defines who is in charge of messaging to internal stakeholders, customers, your board, and the public at large. Uncertainty can lead to confusion, which can make communication less effective and cause additional headaches. It's important to include detailed instructions regarding who the key decision makers are and which teams will have input into those decisions.
Incident response plan (security). This plan should detail the steps that security and technology teams need to take to address a potential incident. That means knowing how to identify, contain, and remediate a threat, but it also means knowing how to recover from an incident and apply its lessons in the future. One of the most important steps is to appoint an incident commander to lead the response efforts. This person supports the above plans and is responsible for decisions and communications to other parts of the organization. The CISO should provide oversight, but consult with other security leaders, including the incident commander, as well as third-party experts.
These plans cannot be made in isolation — they need to be aligned with one another, and leaders need to proactively collaborate. Otherwise, competing plans may wind up forcing people to work at cross purposes, creating unintentional conflict. This means it's important to not just draw up plans, but to stress-test them as well.
Testing Your Plans: Tabletops
Tabletop exercises are scenario-based breach simulations. They're usually run internally, though they often involve external consultants who can provide an objective perspective. They may come with a variety of different scenarios, and the exercise is run much like other, traditional tabletop games. An exercise might start with a technology problem and escalate through the PR response to a major breach. It might even get to a point where bankruptcy papers need to be drawn up. It sounds bleak, but knowing what to do in a worst-case scenario is important.
The goal here is to ensure that not only do the individual players know their roles during a security incident, but that they work well together. If there are places where the business recovery plan and incident recovery plan come into conflict, it's important to know that well ahead of time. If there are gaps in coverage where those plans are insufficient, they need to be refined and improved. It's especially important to test the places where communication and collaboration are required. If security controls failed to catch something, it's important to know why. Tabletop exercises help businesses assess their current standing while identifying opportunities to reduce risk and optimize their resources.
People Are as Important as Technology
Security breaches are stressful. There's often significant risk to the business, as well as people's livelihoods, so tensions can run high. People react to times of stress differently, and that's OK — but it's also why it's important to have a plan in place that takes emotion out of the equation by providing clear, step-by-step guidance. Security technology gets most of the attention, but it's important to remember that technology isn't the only — or even the most important — thing that needs to be tested. A breach affects the whole organization, from IT and security to finance and sales. When an incident occurs, it's important to know that everyone understands the role they play in achieving a positive outcome.
About the Author
You May Also Like