Intelligent responses depend on three elements:
- Incident Response Planning
- Business Continuity Planning
- Crisis Communication Planning
There are numerous articles and memos deal with the topic of incident response, business continuity, and crisis communication plans. Many have been distributed through media outlets even. So you may be asking: why us, why now, and what more could we possible offer in this space?
We think the answer is pretty simple: sometimes you can’t get enough of a good thing. Similarly, there are fundamental topics that people still are having problems with. Translation: more homework to do. One subject area that evidently needs work is responding confidently to a cyberattack in an intelligent and public manner. There are a great deal of texts and certifications out there on these issues (some better than others of course), but if we could, we’d like to give you some “basic street talk” on these issues. Essentially, we want to present to you the issues in a way that you could discuss while having a coffee or drink.
We won’t name names, but there are real life examples of “good” responses. You intuitively know a good response. You feel a level of confidence that the company has the facts, knows the circumstances of what has happened, and is going “full steam ahead” to clean up whatever the mess is. Despite the situation being bad, you know that whoever is steering the ship has things “under control.”
And then there are the “other” responses. You intuitively know a bad response also. It’s the one with the bad smell, the train wreck you can’t watch but still want to, and the one where you throw up your arms and say to yourself “are you kidding me?! You can’t be that out of control!” In cases like this, you’ll normally see a swarm of regulators, stakeholders, investors, and the public directing a lot of “ahem” to the organization and its executives.
Paradoxically almost, you seldom remember the “good” responses, but you never forget the bad one (they usually end up as case studies in business reviews and university textbooks).
Like we said, not naming names, but we want to give you some “quick hits” as to what we, the #CyberAvengers, feel works and what does not work when you have a cyber train wreck at your fingertips. Here goes:
Incident Response Planning
There are plenty of things that often come up concerning the importance of incident response (or “IR”) planning. First, the importance of having a plan cannot be understated. The worst time to figure out what to do or say if there is in the middle of cyberattack. Simply put, things get too crazy to think.
For instance, internet access might get disrupted, files might get encrypted, executives might get fired or suddenly retire, or revelations might occur indicating a major loss of customer information or financial data. All of these issues might indicate a range of problems from either a “manageable” to a “catastrophic” problem depending upon what happened. Problems get further compounded if the company is publicly traded, or is regulated by a federal or state agency (such as the SEC or the NY DFS) where the timeliness and accuracy of disclosures matter greatly, along with the reputation of the company or firm being attacked.
All stuff you know so far. Now comes the moment of not mucking it all up.
To minimize the impact of such an attack and to protect the company and its stakeholders, strong incident response plans have the following attributes:
1) The IR Plan needs to be practiced often and not left in the desk drawer waiting for the first disaster to strike. Do even the top athletes of the world practice before the big game? Yes. They do. So if the very best need practice for something routine (like playing a game they’ve played their entire life), you can sure as bet you need a lot of practice for something that is hopefully not routine (check your business model if you’re running into disasters a bit too often). And practice your IR plan with all people internally, such as the board, executives, IT, HR, and the general counsel’s office. It’s not a bad idea to have an outside lawyer and cyber forensic advisor as well because in a real disaster, you’re probably going to need them too. Failure to practice your IR plan is more or less the number one “YOU LOSE!” issue we see.
2) We recognize you have limited resource and can’t think of every possible disaster, but you need multiple plans and you need plans to test your limits. Practicing touch football will do little for you if you’re preparing for the Super Bowl. So think small and large breaches in various forms, such as DDoS, ransomware, insiders, corporate espionage, and depending on your size, even nation-state attacks. Make sure all of your plans have mechanisms to notify/activate the right people. This includes law enforcement, regulators, stakeholders, and investors. And plans can’t stay static, so keep in mind that plans need to address personnel changes and organizational restructures. No two cyberattacks are alike, so all IR plans cannot be alike either. In the heat of battle, you will simply be overwhelmed if you’re applying your DDoS scenario to your ransomware issue. They have different characteristics and implications, meaning they are not easily interchangeable.
Practice hint: if you are a multinational, you should have different regional plans and see if and how they would need to interact, particularly if an attack in jurisdiction A can have an effect on jurisdiction B. Different people involved, different laws, different vendors. You need to know all this stuff ahead of time.
3) Who’s the boss? You need an incident commander. Somebody needs to be in charge (they may be able to hand off if the situation changes) but somebody has to be the boss. Crisis handling by committee usually ends up in a boil over. Identify who needs to be the boss for the scenario at hand and who their support team will be. Sometimes it’s the CEO taking all the hits. Sometimes is the general counsel leading, with the CEO being the public face. Other times it’s a technical specialist running the table internally, but helping the PR team craft the external message. Experienced crisis management firms are helpful for disclosures, but if you go this route, make sure they know have experience in cybersecurity issues, because cyber is an animal we still do not know well. Just be sure to have somebody calling the shots. And support them. Now is not the time for puffy chest.
4) Timing is everything, especially for public companies that are trading daily on information available to investors. We are often told that we should “just get the information out there” and there is reason for that advice, but be prudent. Trying to outrun a potentially out of control speeding locomotive without some safety precautions could result in … well, use your imagination. We’re trying to keep this article G-rated. With that said though, don’t sit back to watch and enjoy the show because once that train cross state lines, you may have no control at all. We admit this is not an easy task. You have to find that sweet spot between “doesn’t have its act together” or “is potentially hiding something.” It’s sort of like mastering that delicate art of like tap dancing on the head of a needle without getting pricked. By the way: this is why we practice!
5) The best way to respond to an incident is to know about it before anybody else so you can kick the attackers off your system. We covered this issue in detail in our recent book, Take Back Control of Your Cybersecurity Now, but here are some notes: used prudently, machine learning, automation, and orchestration solutions are your friend. They can significantly reduce the time to discovery of the breach (also known as “dwell time”). These tools may even help you prevent the breach all together.
Business Continuity Plans
Business Continuity Planning (or “BCP”) is an essential part of corporate resiliency. We see them activated for issues like natural disasters and even terrorist strikes. But in the face of cyberattacks, they are more important than ever. Effective BCP helps get you back in the game sooner. This is critical because too much down time could completely destroy your business. Think of it like this: you have the ability to bend while others are breaking. And just like IR and crisis management have evolved, so has BCP. Therefore, lead with skepticism if your BCP is being conducted by somebody who has little understanding of cybersecurity issues.
Good BCP relies on proper investigation and remediation of attacks. Forensic cyber experts and lawyers are well versed in these issues. And BCP relies on IT experts who create proper, segmented, offline backup media (daily! ... and is regularly tested to ensure it will actually work in time of crisis) so that the endpoints and network assets can be restored quickly and easily. Reminder: #BackItUp!
Here is a thought for your scenario testing and planning: take your busiest day or time period, say Black Friday or the two weeks before Christmas and imagine losing your services to whatever scenario (ransomware, DDoS, etc.). Just play out your nightmare scenario and see how you’d deal with it. PS – we just took out your first line of third-party suppliers/vendors/experts because of supply chain integration. They’re down now too. What do you do now? PPS – Sorry, but don’t say we didn’t warn you!
Just like with IR, review, update, and test BCP regularly. Businesses are dynamic. We have accepted that into our corporate culture. But we have not necessarily adopted the same feeling in terms of continuous improvement for IR or BCP. These are those things where we don’t see return-on-investment until they’re actually needed. Just remember things can always be improved and in this modern interconnected world, effective BCP must deal with the variety and complexity of vendor dependency. Long gone are the days where you could do everything “in house” unfortunately, so you need to regularly review and update vendor roles and responsibilities. Yes, it’s cheaper during “peace time” to have a vendor-dependent/subscription-based business model, but if you’re not ready for the war, your losses could be catastrophic.
Crisis Communications Planning
Worst time to exchange business cards is the middle of a crisis. Over-thinks cause delays. Analysis paralysis can turn a press release into a bunch of gobbledygook. And seriously, do you really want to be doing this for the “first time” during a crisis? The #CyberAvengers are an adventurous bunch, but even we have our limits.
You see, crisis communications is there to manage the intangible, the things that rely on confidence, such as reputation and market capitalization. You may in fact have your act together but if the message coming out of your organization seems like utter chaos, the public will make up their mind on that information, not what is actually going on. If you accept for a moment that emotions and images are more powerful in impacting our decision-making over rationality and words, then you see our point of view crystal clear. So toss out the window you are in control of this situation (in terms of how the public views you) and do your best to manage what you have to deal with. Here are a few pointers to help with the management.
1) A pre-meet with the FBI and Secret Service is not a bad thing. In fact, we strong believe in doing so. Why? Go back to our “worst time to exchange business cards is in the middle of a crisis” comment. Meeting beforehand gives all parties a chance to meet without someone’s hair being on fire (and incredibly reduces the possibility of an errant punch to the face when frustrations boil over). During the pre-meet you can discuss systems and IT networks. You can also discuss expectations and levels of support. It makes a difference. And of course, you do that good ole fashioned thing called “building a relationship” with persons and institutions. Not a bad thing. We know. We do this religiously in fact. There are instances where a pre-meet, coupled with time and accurate disclosure, have discouraged lawsuits. This is a very good thing. So remember, a friend in need is a friend indeed. And if you got a nation-state or transnational crime syndicate smashing through your network (or being the stealthiest little bugger you have ever encountered), having friends of this kind are good to have.
2) Pre-draft your disclosures for different scenarios. Much like planning for different attacks, having these different templates in your back pocket saves you valuable time. Consider that most significant breaches will require disclosures to regulators, shareholders, investors, employees and others. The European Union’s GDRP has given consumers a mighty hammer and if you’re not ready for the GDPR, you may be facing a world of hurt on that (keep an eye out for the #CyberAvengers playbook coming out soon which talks more about the GDPR). And some of you may giggle at this, but have some disclosures ready to go with 140 characters. In case you haven’t noticed, Twitter, social media, and bloggers sort of play a big role these days. It’s your way of speaking directly to the people without an intermediary filtering your message.
3) Use people who have experience. This point is the pièce de résistance. As we mentioned above a few times, it is important for all companies to project an air of confidence in the middle of a breach. Confidence goes a long way. It shows the company has its act together. It shows that it understands and appreciates its different constituents. It can move markets. Somebody who understands all these moving parts are a system – not a bunch of individual goals – can turn a crisis into a success within 72 hours. But don’t be fooled, these skills are not acquired overnight. A good way to identify somebody experienced is if they (FIGURATIVELY!!!) have been battered, bruised, full of battle scars, but are still going on with a smile on their face, plugging away.
This, dear friends, is called resilience. And get used to it, because life today that is so reliant on cyber will require a lot of resilience.
Much the same way you wouldn’t go do a podiatrist for your dental issues (despite increased cases of foot-in-mouth syndrome, particularly over social media), you shouldn’t be using real estate counsel to handle a cyber breach. Remember, cybersecurity is still a loosely defined concept that we have mystified, meaning that you may very well need a “jack of all trades and master of many” to get the job done for you. A well-rounded cybersecurity professional may not have all the answers for you, but the will have somebody in their rolodex that can be pulled in as a free agent in time of need. Point is, know these people beforehand.
On a final note, with the advent and increasing prevalence of firm state, federal and international breach disclosure timing standards, time has become even more precious. Having ready-to-go-IR, tested BCP, and executable crisis communication plans not only save you time, but could save you from the enormous tangible issues, like fines and penalties, and spare you the intangible carnage, like stock price drops and reputational damage.
Don’t lose in minutes what has taken you years to build just because you think it is okay to cut a few corners or believe “this won’t happen to me.” As the old vaudeville joke goes: “How do you get to Carnegie Hall? Practice, practice, practice.”
In Defense of the United States of America,
The #Cyber Avengers
The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help our country by defeating cybercrime and slowing down nefarious actors operating in cyberspace seeking to exploit whatever their tapping fingers can get a hold of.
- Paul Ferrillo
- Chuck Brooks
- Kenneth Holley
- George Platsis
- George Thomas
- Shawn Tuma
- Christophe Veltsos