Most organisations will face a cybersecurity incident at some point, regardless of the defense levels in place. In KPMG’s 2018 Global CEO Outlook, senior leaders ranked cybersecurity threats as the second highest risk to their firm’s growth. Yet, many historical breaches show that security incidents can be survived. When managed well, your response to them can show your partners and customers that your organisation takes security seriously.
A business can make a wide variety of cybersecurity investments, from prevention to incident response. It’s often challenging to determine the appropriate level of investment in each area, as each is important and contributes to an organisation’s resilience against cyber threats.
Even when your business is too small to invest in a dedicated capability, there are steps you can take to bolster your organisation against an incident.
Planning for a security incident
Assign a clear leader. During a response, coordination is needed across many teams, from IT to HR. Although technical response work will not be conducted by a single team, organisations benefit by having one clear authority who defines the response process and focuses on planning ahead of an incident.
Manage the information gap. Designate a communications lead who works alongside the incident leader to satisfy third-party information requests. During an incident, there will be numerous information requests, with a small team investigating and developing the deliverables.
Build relationships with the incident response community. Effective cooperation is about trust. When an incident strikes, it’s too late to build it. Have your team engage with business partners, national Computer Security Incident Response Teams (CSIRT) and service providers before an incident hits. Join relevant organisations, meet security teams at conferences, or use existing mechanisms (e.g. a vendor review process) to engage the right contacts early on.
Retain external legal, PR and technical support. There will be technical skills not available within your team, such as PR or technical support (e.g. crisis management or disk forensics). Find a provider for these services and sign a retainer before the incident strikes.
Study reporting requirements. Various reporting regulations are now in effect (e.g. GDPR), where organisations typically have up to 72 hours to gather relevant information and report to the appropriate regulator. Understand each requirement ahead of time to inform your incident response process.
Exercise, exercise, exercise. It’s a common misunderstanding that security exercises are only important once you’ve achieved a certain level of maturity. In fact, exercises pay off from the very beginning. Take a scenario that affected another organisation and simulate how your organisation would deal with that same incident.
Responding effectively and managing risk
Communicate often and early. When an incident is public knowledge, it’s important to acknowledge it early. This informs affected parties that you are working on it and will provide further information when available. Regular updates ensure a cadence, so customers will come back at regular intervals and feel less inclined to look for information from other (potentially inaccurate) sources.
Be truthful and straightforward. End users lose trust when communication isn’t clear or seems misleading. Be clear and write at the technical level of your users, but don’t make things sound better than they truly are. When end users are exposed to risk as a result of your breach, say it.
Remember the basics. During an incident, focus on the key questions you need your team to pursue early on. “How did the breach take place?” “What customer data is affected?” Failing to reach basic agreement on the impact of an incident can cause delays and confusion.
After the incident
Study and document your response. The most important phase when handling a security incident is the “post-mortem”. You can’t prevent all incidents from happening, so this is a chance to review why this one took place and identify ways to improve your programme. Address all levels, and focus on the deeper, underlying ones, as they will lead to future incidents if left unaddressed.
Learn from the incident. An incident is often the best time to get additional investment to prevent the next one. Clearly communicate what your security program needs to be more effective and create follow-up plans to get buy-in from your organisation’s leadership.
Share your learnings. As a community, we can only become better if we actively share information on the cybersecurity issues we experience. Airlines are so safe exactly because every failure is scrutinised and shared in detail with others, and action plans are made by airlines regardless of who was originally affected. By sharing your learnings, other community members have an opportunity to learn, and the internet becomes a safer place to socialise and do business.
Taking these steps, your organisation will be in a better place to effectively respond to a security incident.
Maarten Van Horenbeeck, Board Member, Forum of Incident Response and Security Teams