Organisations plan for success. They should also plan for worst case scenarios - especially in the case of a cyber attack or breach. For many organisations, preparedness means developing plans for disaster recovery and continuity of operations.
As the cyber threat landscape has evolved, incident response no longer is the sole responsibility of IT. Every organisation is targeted by adversaries, and some compromise is inevitable. Data breaches or other incidents have an impact on more than just the information or technology infrastructure - they can impact the ability for a business to operate.
As noted in the recently released "CyberArk Global Advanced Threat Landscape Survey 2016," many organisations have adopted a "post-breach" mindset, meaning they operate under the presumption of a breach and have developed post-breach response plans. The realities of today require this proactive mindset. In the survey of 750 IT and IT security decision makers, 95% of respondents reported their organisation has a cyber security emergency response plan. That's relatively good news. However, digging below the surface we also learned:
- Less than half (45%) of respondents reported the plan has been communicated and is regularly tested with all IT staff
- Four in ten (40%) state that their organisation's plan has only been communicated and regularly tested with senior IT staff.
If an incident occurs, does the PR team have a media outreach strategy in place? How will you notify customers? How will HR handle employee communications if email and intranet services go down? Are inside sales and service teams trained to handle outbound customer communications?
There are many considerations to make. At a minimum, incident response planning should address the following:
Who is in charge?
A strong cyber security response plan requires clearly defined roles and responsibilities, including empowering a strong leader and decision-maker. Many organisations default this responsibility to the chief legal counsel, but crisis experts note that although lawyers should be available to advise, they are not the best choice to lead the response.
Effective incident response requires organisational and administrative abilities as well as technical knowledge - if not hands-on technical skills. The choice of this leader can vary depending on the organisation and the personnel available, but it should be someone with an understanding not only of the IT systems but also how they support your organisation's mission and business operations. The CIO or CISO might be a good place to start in some organisations. Post-breach, clear lines of communication are required for prompt and decisive actions. Determine this in advance.
A documented response plan will cover how your organisation will work with the primary response team for data recovery, continuity of operations and forensics. It will lay out responsibilities and roles and help to ensure effective decision making in crisis mode.
Test, Adapt and Test Again
A static "shelfware" plan will not address your incident response needs. This is particularly true as the threat landscape continues to evolve. It is critical to battle-test readiness through live drills to help prevent company paralysis when a data breach or other incident occurs. Drills can help to uncover deficiencies in planning and implementation, so that plans can be updated as needed.
Periodic testing and updating is necessary to keep your incident response plan effective. Having a documented and evaluated incident response plan demonstrates to customers and regulators that your organization is taking responsible steps to anticipate and mitigate the risk of threats.
Are you prepared? Attackers will get inside the network, and they will operate undetected for months by impersonating authorised users. An important part of planning also involves taking a proactive, layered approach to security (which we regularly advocate to our customers), while ensuring security best practices are part of your organisation's DNA.