This post first appeared on Risk Management Magazine. Read the original article.
A study released by IBM and the Ponemon Institute last March found that 77% of businesses worldwide do not have a consistent incident response plan that they can apply in the event of a data breach. Instead, these corporations rely solely on informal or department-specific damage-control strategies. Even more troubling, nearly half of the organizations surveyed characterized their incident response plans as either “ad hoc” or completely nonexistent. As the frequency and severity of cyberattacks increase and regulations like the European Union’s GDPR raise the stakes for inadequate security practices, businesses need to master the art of cyber resiliency in order to avoid costly regulatory penalties, reputation damage and financial hardship.
The process of improving cyber resiliency involves seven critical components that teach companies to combine their digital intelligence with human ingenuity. After all, cyber resiliency is not just about technology—it is about getting the right people to manage the right technology, using the right “best practices” for employee training on cyber threats, in the right way at the right time.
1. Assemble an incident response team.
The first step toward cyber resiliency involves delegating the proper responsibilities for breach readiness and response to the appropriate staff. It is important to remember that each employee has a critical role to play in an organization’s data breach preparation and response, regardless of where their professional expertise lies. Yet while all personnel should attend department-specific training and awareness meetings, only a select few make up the company’s official incident response team.
The incident response team should include an executive sponsor (usually the CEO, COO or CFO) to serve as the primary point of contact between the company and its owners and/or board of directors. They are aided by an incident team lead, who implements the company’s overall breach response plan; an IT and security lead, who executes preemptive network scans, quarantines data and reviews other items pertaining to past or present breaches; and a risk management lead, who evaluates company-wide and departmental risk levels and determines the appropriate preemptive and retroactive responses.
Along with legal counsel, the team’s compliance and privacy lead serves as the authority and intermediary on privacy and compliance regulations. A public communications or account management lead then oversees client relations prior to, during and after breaches. Informing consumers of how they will be notified in the event of a breach, and educating them on preliminary action steps that they can take to protect their data in advance of one, can go a long way in maintaining a company’s corporate reputation and consumer relations if and when a breach occurs.
2. Develop a breach readiness strategy.
Companies must develop, document and disseminate an effective breach readiness strategy. Such strategies vary widely depending on the organization in question, but nearly all of the most cyber-resilient corporations hold a few critical characteristics in common. Most, for instance, save time and improve performance by incorporating into their plans the most effective elements of their companies’ existing security, data and privacy policies. There is no need to waste resources by starting from scratch when organizations can adapt current policies and procedures to the breach readiness landscape. These tactics also allow organizations to obtain new insights into the strengths and weaknesses of their current policies and parameters in other corporate areas.
Other components of effective breach readiness strategies include a full understanding of the network environment; coordinating a list of separate company information security policies regarding data classification, encryption, access, retention, transmission and access monitoring; developing a business continuity plan that covers how data will be accessed and handled during an emergency; and conducting ongoing risk assessments that cover the executive, operational and third-party levels individually. Companies should also take inventory of and record what their contractual obligations will be in the event of a data breach, delegating responsibility for these obligations by department.
3. Understand regulatory requirements.
Companies must understand their regulatory and legal requirements prior to, during and after a cybersecurity incident (which may or may not rise to the level of a breach). It is imperative that they consult legal counsel to understand the nuances at play for each incident category. For instance, while some situations demand that organizations immediately notify their customers, others require that breaches be kept in total confidence, giving law enforcement personnel time to identify and apprehend suspected bad actors. Particularly for businesses operating in heavily regulated industries, it can help to build relationships and develop a positive rapport with local law enforcement personnel prior to a crisis—a data breach is never an ideal first time for such meetings.
4. Invest carefully in cybersecurity tools and services.
Companies should be wary of the abundance of cyber insurance and breach preparedness products currently proliferating and take care to identify and invest in a high-quality identity theft protection service. These products and consultants not only aid companies in the event of a cyber incident, they offer critical resources to help defend clients from data exposure. An ideal identity theft protection service will also offer to help companies draft notification templates to distribute to affected parties, design a list of FAQs enabling them to learn more about the identity protection services the company offers, and establish a plan to guide those affected through next steps once they have been notified of a breach.
5. Educate employees on the response plan.
Companies need to outline and acquaint their employees with each of the three elements of their data breach response plan: discovery and containment; analysis and strategy; and execution and resolution. In reviewing the discovery and containment aspects of the plan, employees should learn their responsibilities for obtaining and recording as many facts as possible about a detected cyber incident. They should understand how to consult their company’s specific breach strategy to assess and recommend whether further analysis may be necessary.
6. Develop an appropriate communication plan.
Organizations need to develop a breach response communication plan that incorporates proper notification templates and procedures. The wording of these templates, along with when and how they are released, will vary depending on whether they are meant to address clients, partners, customers, the general public, internal stakeholders or law enforcement. Businesses should therefore consult closely with legal counsel when drawing up and releasing these communications as it can be difficult to mitigate the tenuous balance between privacy regulations and disclosure requirements.
7. Practice early and often.
Perhaps most importantly, companies should not wait to conduct the first dress rehearsal of their breach readiness strategy on the “opening night” of a breach itself. Instead, organizations must engage in frequent and comprehensive breach preparedness drills that incorporate all the components and procedures outlined above. These drills should conclude with a company-wide retrospective where employees identify opportunities for improvement, as well as points where they and others performed especially well.
It is not always pleasant to imagine what might happen in the event of a catastrophic data breach. But in an age where the unthinkable is fast becoming the inevitable, companies that master these techniques can transform themselves from data breach victims-in-waiting to cyber-resilient leaders-in-training.