Every organization should have a plan to protect its critical information from the actions of a disgruntled employee, or from a criminal hacker looking to make money, or from a nation state actor – an advanced persistent threat or “APT” – looking to advance its national agenda.
Management teams and board members are increasingly being held accountable for such planning by shareholders and regulators. Having that plan is necessary, but it’s not sufficient. You need to plan on what to do when your organization suffers a breach: You need an incident response plan.
Why do you need an incident response plan? Because if one of these bad actors wants to get into your network, and they make it a priority, odds are they will. And high-end criminal cyber actors can approach nation states in terms of their technical proficiency and long-term focus, and ability to concentrate resources. Last year’s WannaCry ransomware and the destructive NotPetya attack — both of which are allegedly modified tools stolen from the U.S. government – are indicative of the caliber of software that’s out there. So you need to plan for a breach.
Let’s suppose you have an incident response plan; it’s well-crafted and contains all the elements you would want to have: what constitutes a breach; what mechanisms are in place to detect a breach; who is responsible for telling whom; what are immediate actions to contain it; how do you recover and so forth. Now what do you do with it? Do you put it on the shelf until your board or your regulating agency asks for it, or until you actually have a breach? Unfortunately, that’s what many organizations seem to do with their plans.
What is the one thing everyone wishes they had more of in a crisis or emergency? Time. In a crisis caused by a breach you will have information from multiple sources, often incomplete or of uncertain accuracy, that must be factored into decision-making under tight deadlines.
There will be pressure from internal and external entities ranging from customers to employees, from shareholders to business partners to regulators, and from the media. There will be competing demands to stop the loss of data, mitigate the effects of the breach, identify the perpetrator, resume normal operations, lock down the systems, analyze the problem, quickly communicate internally and with regulators, and make public statements right now. I have been through a large number of crises in my career, and can personally attest to the fact that the clock is an unforgiving master.
So how do you get more time? By developing an incident response plan that addresses every aspect of a breach and your response, and practicing it. Practice is the key, and it must be at every level – the technical organizations responding to the breach, the business units involved, the management team and the board. By practicing, each group will be more efficient in their actions and take less time trying to decide or remember what to do. As a result, you will get to the end game more quickly, and have more time to deal with unexpected issues that arise (and they always do – the old military adage of “no plan survives contact with the enemy” is as true in cyberspace as it is on the battlefield).
Exercising the plan provides several important advantages. For example, management teams and boards will have time to deliberate on difficult choices without the pressure of an emergent situation; the resulting decisions will likely be more reasoned and complete.
Practicing the incident response plan using different scenarios also helps refine the plan and identify gaps that may not have been apparent when the plan was first developed. And as the lessons learned during each iteration are recorded, they provide the teams with a playbook they can use to guide their actions, resulting in faster execution.
Conducting an exercise of the incident response plan allows business unit and corporate teams a chance to get to know one another, which makes things go more smoothly in a crisis – you don’t want the first time key members meet to be when the roof is caving in over their heads. This also helps teams understand their and others’ roles and responsibilities.
The importance of this was illustrated in an exercise I ran last year with a foreign government, in which one of the four cyber response teams spent their time wrestling with a difficult legal question, when they should have punted that to the legal staff and spent their time understanding what the adversary was doing to their network.
An exercise should also be a chance for the organization’s response leads to meet their counterparts in external organizations. This includes law enforcement, regulators, key business partners, suppliers and customer organizations. It may be too much to hope for them to participate in the exercise, but it does provide an opportunity, while not under the crushing time constraints of a real-world event, to identify and contact those individuals. Those contacts will pay dividends during an actual breach.
An exercise, or better yet, multiple exercises of different scenarios, provides an opportunity for the management team and legal and compliance staff to fully understand the complexities involved in disclosure requirements around a breach. This is particularly important in heavily regulated sectors, and with organizations that reside in multiple jurisdictions with different rule sets. And the drills let the management team and corporate board review actions and ensure that secondary and tertiary consequences are understood, and any potential problems are identified and mitigated ahead of time.
Communications, both internal and external, are a critical part of any successful breach response. Exercising gives the organization a chance to develop principles and guidelines for communicating, and to have some pre-vetted communications for certain scenarios “in the can” and ready to go.
Communications staff has time to craft exactly the right messages that convey the company’s understanding of the situation, their sense of responsibility to stockholders, customers, employees, and business partners, and to instill confidence in the ability of the corporate team to act appropriately. Legal staff has time to review actions and any public or internal statements for consistency and appropriateness. Communications color how the public, investors, and customers view you and your actions.
The U.S. military is the best in the world because of three things: its people, its technology and its planning and exercising. Units plan and practice their missions on a regular basis, at every level from squad to the Joint Chiefs, and that lets them apply that technology in the hands of those great people in a way that others can’t.
The time to develop a plan and practice actions that you would take during a breach is before the event, not during the event. Think how differently the Equifax breach might have turned out for the company if they had exercised their incident response plan.