Tips for Organizations to Prepare for a Cybersecurity Breach
The primary purpose of this blog to provide considerations for C-Level Executives as they prepare for the potential of a cybersecurity breach. It may also be useful for IT Directors and/or Managers.
According to some of the latest statistics by Ponemon, there is a 29.6% probability that your business will suffer a cyber breach in the next 2 years. It seems that no matter how much time and investments are made in protecting your business, there will eventually come a day where you find yourself responding to a potential cyber breach. When that time comes, there are some important steps that your organization must take in order to reduce cost from a breach and ensure maximum protection of your company brand and reputation.
Step 1: Continually Assess and Report on Risk
The very first step to prepare for a cybersecurity breach is to formally designate an officer of the company to assume the responsibilities of cybersecurity. Typically, this responsibility is given to the Chief Information Security Officer, but some other organizations may designate this responsibility for the Chief Security Officer or another C-Level executive.
Regular updates to the Chief Executive Officer and the Board of Directors is essential because there must be a continual review of risk. Similar to how organizations continually review financial risk, there must also be a continual review of cybersecurity risk. As part of this review, it is recommended that a discussion is held around the organization’s alignment to a Risk Management Framework. Below is an example of one such framework:
Step 2: Have a Plan
An Incident Response Plan (IRP) is necessary for all responders to properly synchronize their activities. The IRP does not need to be overly complex in order to be effective. At a minimum, the IRP should address the following information:
a) Communications Protocol for All Employees
i. What should employees do if they detect suspicious activity?
ii. Who within the company should be notified of suspicious activity?
b) Incident Initiation Steps
i. What company employees should be part of the first response activities?
ii. Notify General Counsel (we’ll dive deeper into this topic later in this blog)
c) Containment Activities
i. Identify and contain the compromised systems.
ii. Take steps to prevent further malicious activity (such as disabling accounts).
d) Understanding the Nature of the Incident
i. Assess what type of information may have been impacted.
ii. Collection of logs and other artifacts.
e) Analyze Legal Implications
i. Work with General Counsel to assess legal implications and other obligations.
f) Implement Communications Strategy
i. Identify who to notify and what information to convey.
ii. Develop a consistent message to respond to post-notification questions.
g) Post Incident Debriefing
i. Assess the response activities and look to make improvements where necessary.
Step 3: Conduct Incident Response Rehearsals
When facing an emergency, it significantly helps if your organization has already rehearsed the response activities. At a minimum, it is recommended to conduct a dry rehearsal at least once a year to ensure all key members of the Incident Response Team understand their roles and responsibilities. The scenario does not need to be complex and should avoid being overly technical. If your organization does not conduct rehearsals, you should plan your first one to be a table-top exercise. A few hours once a year is more than enough for organization to begin this type of activity.
Step 4: Invoke Attorney-Client Privilege
Chief Information Security Officers should not be shy about asking to bring in lawyers during all conversations involving incident response activities. This includes planning, rehearsals, debriefings and the very first steps of conducting the Incident Response Plan. By involving General Counsel, you are adding an additional layer of protection to your business by ensuring that any conversations are protected from disclosure to a court, if your organization happens to find itself in the situation of a lawsuit down the road.
It is also important to note that attorney client privilege is not retroactive. Therefore, the sooner it is established, the better it can be for your organization.
Step 5: Carefully Consider the Language You Use
During all stages of an Incident Response, it is important to be aware of the language used to describe events and activities. Emails and meeting minutes contain written history that can come back to haunt your organization, especially if the wrong language is used. Avoid the use of negatively charged words and phrases such as: attack, inadequate, significant lack, and were not prepared. Additionally, these words may communicate a negative undertone to the rest of your employees and leave them feeling as if the situation may not be under control. Instead, look to use words that convey a neutral tone.