COMMENT
The new Securities and Exchange Commission (SEC) on cybersecurity risk management, strategy, governance and incident disclosure have recently come into force, and organizational approaches to responding to cybersecurity incidents are top of mind among stakeholders in both public and of private ones. While most corporate management teams and boards take for granted that their organizations are ready for a potential cyber attack, recent events have shown that many are unprepared to handle what will be their worst day at work.
A company’s response to a crisis is a direct reflection of its preparedness. Rather than focusing solely on what happens during and after a cyber incident, executives and leadership teams must first understand that the period leading up to an event is the most critical. Organizational remediation efforts can and should be developed, tested, and implemented before an attack occurs. It is critical that leaders use this time to evaluate how well their teams will respond when faced with a dire situation and take the necessary steps to ensure cyber readiness.
Develop and implement an incident response plan
Too many organizations find themselves in the midst of a cyber crisis without a formal response plan in place. Companies make critical mistakes that can compound the financial and reputational damage associated with a cyber incident simply because they do not have established roles or responsibilities or a documented chain of command to handle these types of situations. In the first hour of the crisis, we see most cases of workplace bias emerge, leading to a significant number of errors. During that “golden hour,” people aren’t sure what to do, but they insert themselves into the crisis because they believe it’s their job to do something. This lack of understanding ultimately slows the recovery and repair process.
There is no single blueprint for what a incident response plan it should look similar, because every crisis is different. However, executives, board members, security teams and other stakeholders need to know who takes the initiative to respond, what each person’s responsibilities are and what steps should be taken to communicate internally and externally. The formal incident response plan should include an identified incident commander who works across lines of business and divisions within an organization to ensure that each person and department understands the situation and performs their duties as assigned. The incident response commander will also be responsible for contacting the company’s third-party experts, such as law firms, incident response, ransom negotiatorsand public relations, to ensure they are aware of what has happened. The cyber incident response protocol should be incorporated into the broader organizational crisis response plan, frequently reviewed and updated as needed.
Stress test the response plan in an active simulation
Planned actions can easily get lost in the shuffle during a real cyberattack due to the natural psychological response employees have to a crisis. Leaders must understand that those caught in the attack will experience a surge of cortisol, the stress hormone that creates a “fog of war” during turbulent times, and can lead to further problems. The most common problem is the inability to validate and verify information. A person’s interpretation of what happened or what was shared with them may differ significantly from the facts of the incident. The result can intensify a single piece of information about a potential event and turn it into a full-blown crisis.
The best way to assess how teams will respond to a cyber attack is to test the formal incident response plan. Tabletop exercises and wargames they are immersive experiences, conducted in a controlled environment, that prepare companies to face and mitigate a potential attack. This gives every person within the organization the opportunity to feel, act and behave as if they were in the middle of an attack situation. These training exercises allow teams to experience that influx of cortisol, learn how to handle and manage it, and develop the discipline needed to execute the response plan. This also provides leadership with visibility into how an individual’s response impacts the holistic approach to remediation.
Evaluate the effectiveness of the Plan and improve it
Once the organization and its cyber incident response plan have been put to the test, the next step is to evaluate the effectiveness of the plan and identify opportunities for improvement. It is important to note where fundamental breakdowns have occurred and what can be done to address them. For example, if the communication cadence faltered, why did the team fail to contact the appropriate stakeholders? Was this a procedural procedure or did the incident commander fail to fulfill his duties? Leadership should know whether to commit additional resources to improve the level of safety or whether it needs to incorporate multiple organizational leaders to lead response efforts.
Executives and board members need to consider how prepared their team is before the attack occurs and how it performs during the crisis, and understand that the challenges of the wargaming exercise will arise when a real attack occurs. It is critical that leadership is involved in the evaluation process, as the final decisions will have widespread impact on key stakeholders. The ability to understand how each choice impacts and improves security and coverage will increase employee engagement, which is critical to successfully defending an organization.
Cybersecurity has become a board-level issue in recent years and must remain a priority well into the future. It is up to executive leadership to be well informed about their organization’s security response plan and how people respond before, during and after a cyber crisis. By proactively evaluating your response protocol before an attack begins, board members and executives can strengthen their defenses against emerging risks and ensure cyber readiness.