You’d think that the last thing any company would want, when it has suffered a disruptive data breach, is to compound the problem. So why are so many companies doing just that, with sub-par cyber-incident response?
One of the main reasons is that many are still treating cyber risk as a technology issue, when it is actually a business issue. This disconnect can leave companies painfully unprepared when the time comes—a time when they need to act fast and get it right.
We’ve all seen this play out in bold headlines around the world. A financial services company antagonizes millions of consumers after their personal information is stolen. A technology company in the midst of a merger is seen downplaying a cyber incident. Patients are turned away after a healthcare organization is breached.
No doubt, many organizations have come a long way in recent years toward protecting themselves while preparing for the worst. Especially at large companies, cyber-crisis management plans are already in place, detailing what needs to take place before, during, and after an incident. The fact is, the cyber-risk conversation has finally reached the boardroom, where it has long merited attention.
That’s all solid progress, and yet we continue to see companies struggle with the response—damaging their brand, company valuation, and sales in the process. The business impact of a botched response is something that must be well understood at the board level. The reputational fallout, alone, can do more damage than any direct costs of a data breach. Yet many boards are still having the wrong conversation—treating cybersecurity as a technology problem, when it should be part of the overall enterprise risk-management strategy.
Cyber incident preparation is actually about prevention—preventing your business from going downhill. And that’s a message that should be conveyed from the very top of the organization across business lines and functions, from the back office to the front office.
Small and medium-size companies have even more work ahead of them. With fewer resources, many rely on someone juggling multiple responsibilities as their point person on cybersecurity. These SMEs might even assume that they are under the cybercriminal’s radar—they shouldn’t. Verizon’s latest Data Breach Investigations Report describes smaller companies’ many attractions to hackers, including the intellectual property of promising start-ups and the sales lists of high-end boutiques—not to mention SMEs’ utility as stepping stones to their larger partners’ systems.
A dynamic exercise
Crisis management is never easy—and cyber crises are uniquely challenging. For one thing, many cyber incidents are discovered by a third party and/or leaked to the media, so company executives wake up to the news.
That’s the moment when the clock starts ticking. Everyone needs to take their places and act straightaway. It’s all in the plan, right? At least, it should be. Broadly speaking, today’s typical cyber-crisis plan includes:
- A very clear list of instructions about how to detect, respond, and prevent any further material damage to the organization;
- Communications priorities, channels, and messaging—for customers, employees, investors, business partners, regulators, law enforcement, the board of directors, or others;
- Specifically assigned roles and responsibilities; and
- Carefully plotted escalation paths.
Still, companies need to take that plan to the next level. Ask yourself:
- How well has your plan been tested?
- Has it been workshopped across multiple scenarios?
- Have you run your plan through mock trials?
- Is the plan even up to date?
It turns out that many cyber incident response plans are virtually covered in dust. In Palo Alto Networks’ recent survey for The State of Cybersecurity in Asia-Pacific, half the respondents said their organizations only do a yearly review of cybersecurity policies and standard operating procedures. That’s not enough. Here are some basic steps to make your planning more dynamic and effective:
- Establish a procedure for keeping the crisis-management plan current.
- Test the plan and train people with mock drills—even run the board through a mock drill.
- Inject different scenarios into the basic plan. For instance, say you’ve been hit with ransomware and, on top of that, your chief information security officer has been hit by a bus, to borrow a phrase. Then what?
- Workshop all the different ways in which a breach could impact your business. What if your intellectual property is stolen? What if you cannot get access to your data or systems? What if your organization’s valuable data is destroyed? Or if your e-commerce sales are knocked off-line?
- Explore all the machinations of the way your business operates day-to-day—that’s what you need to plan for, with a continuity plan that is also tested and rehearsed.
- Break it down even further. What critical systems does your business rely on, how are they interconnected, and what are their dependencies? If your response team is busy turning off exposed systems, then, effectively, your business may no longer be operating.
- Be very sure of your continuity plan. If it’s virtually covered in dust, it may also be filled with dated information about old systems and the contact details of long-gone response personnel. And what if the only contact numbers you’ve got are for the Monday-to-Friday 9-to-5 desk phones? That may sound funny, but it happens.
Understandably, you’ve got business to conduct, and all this “cyber prep” takes time. But it’s got to be an ongoing process, for the sake of the business.
Communicating under stress
It cannot be emphasized enough: Communications are top priority in a crisis. But even when a company’s message is well crafted, things often seem to go off the rails. It’s understandable. Cyber incidents are complex, and investigations can take a very long time. The media presses for answers anyway—maybe a hundred different times in a hundred different ways. But if you don’t know the source of the breach, you don’t know.
The best course of action is to come forward with what you do know—when you know it—and don’t deviate or embellish. You can’t control the media frenzy happening around you, but you can control that core narrative. Stick to it. Make your corporate communications person or a higher level media-tested executive the sole spokesperson—someone trained not to open up and begin making random comments.
Document everything along the way: how the incident came about, which systems were affected, what was there, what was taken, how stakeholders were alerted. This is information that will eventually be required of you, in any case.
Documentation also serves another important purpose: reviewing the response, revising the plan and, unfortunately, preparing for another possible breach. Practice makes perfect.
We’ve all heard the staggering numbers around cyberattacks and actual breaches. By one count, more than five million data records are compromised around the world—every day. In today’s environment, no data breach should come as a complete surprise; rather, it is a foreseeable event for which you are completely prepared.