CrowdStrike Services regularly helps companies develop strategies for identifying and responding to cybersecurity incidents. Too often, we encounter companies whose planning begins and ends with the IT department. Treating security as just an IT issue is one of the top mistakes companies make when developing their defensive posture, and it is often reflected in how they plan for contingencies.
Cyber incidents can bring on a host of legal, regulatory, and reputational challenges that pose a serious threat to a company’s bottom line. Security risks should concern the highest levels of a company’s leadership—and even if leaders don’t understand the technical details, they should understand the nature of the risk well enough to provide strategic guidance for response plans.
Even companies that have resolved to “get serious about cybersecurity” often fail to grasp that this is an organization-wide effort. Far too many opt to simply pad the IT budget instead of really thinking through what a serious approach to cybersecurity looks like. Spending money on products and services that help prevent or mitigate cyber threats is often part of such an approach. But a well-funded IT department in a company that fails to take an enterprise-wide approach to cybersecurity is like a star running back with no offensive line; it’s not a winning strategy.
Start at the Top
One of the first things we frequently hear from our clients is that their CEO or board of directors wants to make sure that the company is taking the necessary steps to manage cybersecurity risks. This kind of buy-in from the upper echelons of leadership is an important cornerstone of an effective cybersecurity strategy, but it requires a commitment of more than just budget. Executives must ensure they understand the basics of the risks their organization faces and request regular updates on how those risks are managed.
A logical first step should be to assess what those risks are in order to develop a security roadmap. This means understanding what kinds of threats the company faces, what will happen if those threats materialize, and how well suited the current defenses are to respond to such threats. It also means understanding how the company’s cyber risks stack up against other risks it faces. It could be that a company is so beset by other challenges that cyber risks fall far down its list of concerns; though in practice, most companies who work through this exercise find they have under-prioritized their cyber risks.
A growing number of organizations now have enterprise risk management programs designed to provide high-level, strategic management of multiple risks. Some designate a chief risk officer to maintain an accurate picture of the organization’s risks and ensure effective mitigation strategies. This is an ideal context in which to consider cyber risk and to present it to leadership.
Organizations that adopt some form of enterprise-wide approach to understanding cyber risks typically develop mitigation strategies that are more inclusive, too. When a company identifies the reputational or legal dimensions of its risks up front, it will be far more likely to include its public relations and legal teams in the initial phases of any incident response planning. Companies that begin with a narrower focus often overlook key players in their response plans or shoehorn them into existing plans as an afterthought.
We recommend considering the following groups to augment IT security when planning for cybersecurity incidents.
According to recent studies, between a quarter and half of all the costs associated with a data breach are either the cost of legal services or the result of litigation. That is as strong an argument as any for getting a legal team involved early in the process of developing cyber risk mitigation strategies.
Any holistic attempt to identify and evaluate an organization’s cyber risks must include a legal perspective. A legal team will be better suited to identify the potential repercussions of certain types of cyber incidents and can identify regulatory requirements that may apply to an organization’s data. I am consistently amazed by the number of people who insist that their company doesn’t store any personally identifiable information, or believe they have no cyber risks because they don’t process credit card payments. A legal team should be able to clear up such misconceptions and shed light on additional assets that require particular protection.
A legal perspective is also helpful when thinking through response efforts. If a company has a BYOD policy, does it have provisions that allow incident responders access to employee devices? What about contractors or vendors with network access? Is there any agreement that gives incident responders access to their systems or logs? If the company is going to require outside assistance, has it already negotiated retainer agreements or will it need to review and sign contracts in the middle of an incident response? Working with a legal team in advance helps anticipate and resolve some of these potential stumbling blocks before the pressure is on.
Yes, There Is Such a Thing as Bad Press
Although it may be difficult to quantify, the reputational impact of an incident can sometimes exceed the value of any lost data. Companies can limit that damage by anticipating and addressing the concerns of their stakeholders and the general public. Effective post-breach communications must convey both contrition and confidence; apologizing for the disruption and reassuring stakeholders that a thorough and effective response effort is underway; all without divulging unnecessary information.
It is a high-wire act with incredibly high stakes, but the odds of striking the right balance improve considerably when there is already a plan in place. Good public relations teams typically develop crisis communications plans in advance, and those plans often include keeping an outside firm on retainer to ensure the message is pitch perfect. Having these pieces in place facilitates more rapid notification in the event of a breach, which is often a factor in swaying public opinion. The Anthem breach is one example where a swift public response helped quell any potential outcry.
But pre-planning and hired guns cannot guarantee an effective communications strategy. The public relations team must have visibility into the actual response effort and understand it well enough to craft an effective narrative. Response plans that account for this are far likelier to provide the necessary insight to those who need it.
Take Care of Your Own
To the extent that organizations include their Human Resources department in their response plans, it is typically in the context of managing disciplinary action in the event of insider activity or a violation of company IT policy. But HR can also play a pivotal role in assuaging the concerns of employees in the midst of a disruptive cyber incident.
Employees can prove some of the most important stakeholders in a cybersecurity incident. After all, most companies hold considerable troves of information on their employees that attackers would find valuable (just ask OPM!). Beyond any concerns about employee privacy, cyber incidents can affect employee morale. If vital systems come offline for a period of time, it is likely to stoke angst among the people who rely on them to do their jobs. If a data breach thrusts a company into the headlines, employees may wonder about their job security. If corporate email correspondence gets posted online, these concerns are likely to crescendo (just ask Sony).
Involving the HR department in the incident planning process can spur proactive measures to protect employee data. It can also allow HR managers to begin thinking about how to address employee concerns in the event of an incident.
Insurance: Read the Fine Print
If cyber insurance is part of your company’s risk management strategy, it may help to review your policy and compare it to your incident response plan. The market for cyber insurance has expanded rapidly in recent years, and not without growing pains. There is little uniformity among policies, and some have very specific requirements for response activities. These requirements may define a tight timeframe and specific manner for notifying the insurer of a breach, specify individual vendors whose services will be covered under the policy, or in some cases even require that the insurer’s own response team manage the response.
A company’s incident response plan should account for its insurer’s requirements and make satisfying them part of standard procedure. For companies that are shopping for cyber insurance, reviewing the terms and comparing them to existing response plans should be part of the contract review.
Don’t Just Plan, Plan Well
Most organizations have come to view cyber incidents as inevitable. This is a tremendous impetus for developing effective incident response. In fact, the quality of a response is, at times, the greatest factor in determining the ultimate outcome of an incident—greater than the the nature of the incident itself. Advance planning is an essential ingredient in an effective response, but it is no guarantee. Planning that starts with a strategic review of an organization’s cyber risk and incorporates all the necessary stakeholders gives an organization its best chance for success. If a company truly wants to “get serious about cybersecurity,” this is how it should proceed.