Tips for Organizations to Prepare for a Cybersecurity Breach
The primary purpose of this blog is to provide considerations for C-Level Executives as they prepare for the potential of a cybersecurity breach. It may also be useful for IT Directors and/or Managers.
Table of contents:
According to some of the latest statistics, cloud environment intrusions have increased 75% year over year, and there has been a 76% increase year over year in victims named on eCrime dedicated leak sites.
It seems that no matter how much time and investments are made in protecting your business, there will eventually come a day where you find yourself responding to a potential cyber breach. When that time comes, there are some important steps that your organization must take in order to reduce cost from a breach and ensure maximum protection of your company brand and reputation.
Step 1: Continually Assess and Report on Risk
The very first step to prepare for a cybersecurity breach is to formally designate an officer of the company to assume the responsibilities of cybersecurity. Typically, this responsibility is given to the Chief Information Security Officer (CISO), but some other organizations may designate this responsibility for the Chief Security Officer (CSO) or another C-Level executive.
Regular updates to the Chief Executive Officer and the Board of Directors is essential because there must be a continual review of risk. Similar to how organizations continually review financial risk, there must also be a continual review of cybersecurity risk. As part of this review, it is recommended that a discussion is held around the organization’s alignment to a Risk Management Framework.
Source: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview
2. Create Messages That Matter to Them
Don't create messages that are long lists of "Don't do this, don't do that." Nobody responds well to negativity, and messages like that are boring. Nobody learns anything from boring and negative messaging.
"One and Done" isn't effective either. Security Awareness requires an interesting message delivered at a regular cadence. You can cycle through individual items of your Acceptable Use Policy at regular intervals, delivered as emails, newsletters, posts on your Intranet, or using other means seen as appropriate communications channels, the more the merrier. Does your company hold quarterly "Town Hall" meetings? Try to reserve a slot for security in those. Keep the message short, don't use the opportunity as a deep dive on any single topic or group of topics. Make the message about something everyone can relate to. If that message can be delivered by a C-Suite member, that is extremely effective visibility for security awareness.
You should absolutely include your Marketing Team in the creation of your security messages. They have the expertise to format and craft the message in ways that reach people and in ways that encourage optimal understnading and retention. Aim for humorous or thought-provoking approaches to your messaging in hopes that the message will stick.
Step 2: Have a Plan
An Incident Response Plan (IRP) is necessary for all responders to properly synchronize their activities. The IRP does not need to be overly complex in order to be effective. At a minimum, the IRP should address the following information:
a) Communications Protocol for All Employees
i. What should employees do if they detect suspicious activity?
ii. Who within the company should be notified of suspicious activity?
b) Incident Initiation Steps
i. What company employees should be part of the first response activities?
ii. Notify General Counsel (we’ll dive deeper into this topic later in this blog)
c) Containment Activities
i. Identify and contain the compromised systems.
ii. Take steps to prevent further malicious activity (such as disabling accounts).
d) Understanding the Nature of the Incident
i. Assess what type of information may have been impacted.
ii. Collection of logs and other artifacts.
e) Analyze Legal Implications
i. Work with General Counsel to assess legal implications and other obligations.
f) Implement Communications Strategy
i. Identify who to notify and what information to convey.
ii. Develop a consistent message to respond to post-notification questions.
g) Post Incident Debriefing
i. Assess the response activities and look to make improvements where necessary.
Step 3: Conduct Incident Response Rehearsals
When facing an emergency, it significantly helps if your organization has already rehearsed the response activities. At a minimum, it is recommended to conduct a dry rehearsal at least once a year to ensure all key members of the Incident Response Team understand their roles and responsibilities. The scenario does not need to be complex and should avoid being overly technical. If your organization does not conduct rehearsals, you should plan your first one to be a table-top exercise. A few hours once a year is more than enough for an organization to begin this type of activity.
Step 4: Invoke Attorney-Client Privilege
Chief Information Security Officers should not be shy about asking to bring in lawyers during all conversations involving incident response activities. This includes planning, rehearsals, debriefings and the very first steps of conducting the Incident Response Plan. By involving General Counsel, you are adding an additional layer of protection to your business by ensuring that any conversations are protected from disclosure to a court, if your organization happens to find itself in the situation of a lawsuit down the road.
It is also important to note that attorney client privilege is not retroactive. Therefore, the sooner it is established, the better it can be for your organization.
Step 5: Carefully Consider the Language You Use
During all stages of an Incident Response, it is important to be aware of the language used to describe events and activities. Emails and meeting minutes contain written history that can come back to haunt your organization, especially if the wrong language is used. Avoid the use of negatively charged words and phrases such as: attack, inadequate, significant lack, and were not prepared. Additionally, these words may communicate a negative undertone to the rest of your employees and leave them feeling as if the situation may not be under control. Instead, look to use words that convey a neutral tone.
Don't gamble with your organization's security. Expose your vulnerabilities before attackers do. Learn how Cipher's Attack Surface Report (CASR) takes your security to the next level.
Get your complimentary CASR Assessment today.