Responding Elegantly and Deliberately
While at the recent Cybersecurity Awareness Summit at the Harrisburg University of Science and Technology, one of the speakers put a slide up that said basically: Firewalls, passwords, anti-virus software, and multifactor authentication → yesterday’s news. The point being that these are really the baseline. The starting point. The bare minimum of security. He went on to state that, as we have said many times, breaches are a matter of when not if. So great, that is just great. Now what? The very knowledgeable gentleman continued to explain that what companies should be working on (and really already have in place) is a good breach response plan. Cybersecurity is about resiliency. It is about survival. Since breaches are a virtual inevitability, the only thing that will separate the women from the girls is how a company responds to the breach. The presenter at the conference said we should respond “elegantly”. And we totally agree, but would add that you should also respond deliberately.
Unfortunately, we have a prime example of a company failing to respond “elegantly” or “deliberately” to a breach. The Equifax breach exposed how poorly a company can respond to a breach: they did not seem prepared, either with a strong knowledge-base of their systems or with the appropriate personnel armed to mitigate the breach. Further, managers of Equifax even sold stock prior to the public notification of the breach. (We would call that the opposite of an “elegant” response).
The only way to accomplish these goals of an elegant and deliberate response to a breach or incident is to have a solid, thorough and practiced breach response plan. Experian did a survey of compliance and security professionals and nearly one-third of the organizations surveyed stated that their organizations had no global incident response plan in place. Regionally, just 27 percent said that they have plans at the country level. That number is disturbing considering the cost of responding to a ransomware attack has risen from $325 million in 2015 to $5 BILLION in 2017. If you want to survive, you need to be prepared to respond. And that response cannot just be limited to a domestic response because data has no borders.
Step one: have a plan and write it down. This seems simplistic, but having a written breach response plan helps in the moment of crisis. If the plan is detailed, it can be carried out without much “thought”. In other words, it takes the guesswork out of the first steps post-breach when your heart is beating in your throat and your adrenaline is pumping so hard your hands are shaking. This is the exact moment you DO NOT want to be considering the company’s reaction for the first time. Oh, and make sure that you have a written, hard copy of the plan. If it is in your computer system and your computer system is down . . . enough said.
Another consideration is how you are going to communicate with your employees. If you phone systems are down, a la DLA Piper, you need to have a way to get in touch with your critical employees first (most likely your IT staff or provider) and the rest of your employees so they do not attempt to log-in to your system and possibly spread the virus. Also, your response team should have the ability and authority to act quickly. Waiting for management to make important decisions, and often times management should not be making the decisions because they do not understand the problem, can waste valuable time.
Every good breach response plan should also include segregated defined roles for individuals, all coordinated by the head of your response team. Breach response, like cybersecurity itself, is not just a technology issue. It involves management, IT, PR, forensics, insurance, law enforcement, and legal. Every group has an important role to meet the eventual goal of surviving the breach “elegantly” and resuming business activities. And every group needs to fulfill their individual roles and meld seamlessly into the main response. So how do you do that? Practice.
The expression, “practice makes perfect” has never meant more than in a breach. You have to prepare for the worst, so you can react at your best. You should have table-top sessions, i.e., practice exercises “testing” your breach response. Start at the beginning and run it through to the end. When a response becomes second nature, you have less of an adrenaline fueled flight or fight response and develop a more measured, deliberate reaction. Also, practicing can help show holes in your plan or issues you did not anticipate. Practice can help refine the plan AND gives your first responders more confidence in what they are doing.
Finally, you need to regularly review and update the plan. Each time you make a change to your software, security, personnel, etc., you need to update your plan. You should also review your plan annually to ensure that you are deploying the most up-to-date response. Remember, technology changes like a blink of an eye and so do cyber attacks. A breach response plan is not a one-and-done, set it and forget it plan. Like everything involving cybersecurity it is a living, evolving document; you need to draft, train, test, refine, wash and repeat. Cyber criminals never sleep and neither should your company when it comes to cyber security. And, as always, remember that when it comes to cybersecurity -- luck favors the prepared.
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.