Looking at cyber incidents from a business point of view, rather than the traditional technical aspect, quickly identifies that there are only really three aspects of an attack which matter to the business. In order of magnitude (lowest to highest) they are:
- A loss of money /revenue
- Cyber attack affects the business i.e. DDoS/ransomware
- Data breach i.e. customer data, PII, IP
Ultimately when drawing up strategies to defend the business and protect it from cyber-attacks these three are what every board is considering. Each of the above affects the bottom line of any organization and the impact of GDPR fines makes data breaches the most feared of all cybersecurity issues.
In a recent International risk research report it was noted that companies take the potential effects of security incidents seriously, especially when it comes to their brand. A loss of customer confidence was the biggest concern about a security incident (52 percent), followed closely by damage to their brand or reputation (50 percent). Direct financial losses is third, with 39 percent worried about it.
So what should organizations be doing to mitigate attacks and provide a way to respond when the worse happens? As with everything in life, doing the preparation work in advance makes things easier. The critical elements an organization should have in place to be able to respond in the very worst case scenarios should include the following.
- Incident Response Plan. The ability to contain and remediate a threat. All of the other categories in this list are important as well, but without a plan in place to respond to threats and major incidents the response will at best be ad-hoc and in the worst case, make matters worse for your organization. The IR plan should incorporate contact details for all affected portions of the business and incorporate.
- Forensic Strategy. How will evidence be collected? Are there tools in place and adequately trained staff to support them? If not is there a contract in place with an external provider to give support when it is required. The forensic strategy should also be utilized to assist with lessons learnt.
- Customer Strategy. A strategy must be defined ahead of an incident to define what messaging will be disclosed to customers, by whom and at what time.
- Financial Strategy. There should be a financial plan in place to account for the surge of staff required to respond to an incident (both internally and external contractor/service providers). Who has the authority to approve the expenditure and what the criteria is for doing so?
- Regulatory Strategy. GDPR is just one of the regulations that modern organizations have to abide by. Times of crisis are not the time to identify all of the regulations that are applicable for an incident in all of the regions the company operates in. Defining the list of regulations, reporting criteria and the regions they are applicable to is crucial to avoiding punitive fines for non-compliance.
- Legal Strategy. The legal team should work to define what the organization’s strategy is during crisis situations and what the organization’s liability will be. This strategy should take into consideration both civil legal cases and formal law enforcement proceedings.
- Media Strategy. If an organization does not control its own media messaging then other sources will fill this void. Identifying the messaging which will be delivered for various scenarios ahead of time and who will be delivering this is crucial in retaining control over a media story associated with a cyber-attack. This is especially important where public opinion about a brand or organization is at risk.
- Law Enforcement Strategy. Will incidents be handled internally only? At which point will law enforcement be notified (UK cyber incidents reported via Action Fraud hosted by City of London Police) and guidance and assistance requested from the NCSC? Knowing who to reach out to in local law enforcement agencies ahead of time enables organizations to already have a trusted relationship and able to initiate these services a lot quicker and through trusted connections.
- Intelligence Strategy. Cyber-attacks leave evidence which organizations can utilize not only for their own future protection (Indicators of Compromise) but can be shared with other peer organizations. This sharing of information allows for shared communities to enable early notification of attacks within the same group allowing other organizations to protect themselves before the attack is launched against them as well. Identifying a local strategy (based on the Traffic Light Protocol) will allow organizations to understand what information they are willing to share with external organizations to improve the communities overall security posture.
- Vendor Strategy. If a cyber-attack is successful and has managed to bypass a vendor’s security controls, what action will the organization take? If there is inadequate security controls in place, the tools deployed were not configured correctly or specific features activated (which are identified in the incident) are there options to implement tighter security, can MSSP’s be utilized as a quick win?
- Insurers Strategy. Cyber insurance is now a standard of business, however the differences in policy and pricing varies greatly between regions. Therefore, organizations have to identify the areas of risk which they want to utilize cyber insurance policies. Additional considerations for these should be the ancillary services offered by the insurance brokers such as Incident Response team deployments in a breach.
The list above is only an introduction to these eleven strategies. CISOs and CXOs should review these to see what plans and strategies are already in place with a view to mitigating any gaps. Once strategies are implemented, carry out exercises and test the processes and procedures work. Any gaps in strategy will only slow down or hamper a crisis situation when a cyber-attack escalates into a breach!