Organizations of all sizes are being targeted by cyber-criminals. A cyber breach is almost invevitable and you need to be truly prepared to respond. In a recent Harvard Business Review article, the authors found that many plans are developed in silos and too many plans sit on a shelf collecting dust. They lay out 10 principles to guide companies in creating and implementing a cyber-incident response plan.
1. Assign an executive to take on responsibility for the plan.
Executive support for the plan is critical. Without it, many in the company may not be on board with the plan because they either don’t recognize the seriousness of threats or because the plan might interfere with their business activities. Executive support is also important for integrating the response efforts across business units.
2. Develop a taxonomy of risks, threats, and potential failure modes.
Refresh them continually on the basis of changes in the threat environment. Having an organized structure for these things will help you make sure that all the bases are covered in your plan. The structure can also become the foundation for procedures in your plan.
3. Develop easily accessible quick-response guides for likely scenarios.
Encyclopedic plans are of no use; they typically sit on a shelf collecting dust and in time of crisis and no one can take the time to read it. Instructions need to be easily understood. Use a web-hosted incident management application to house your plans and guides so they’ll be accessible even if your infrastructure is down.
4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
The processes need to be as simple as possible and involve as little bureaucracy as possible. When a crisis is underway, there’s no time for layers of approvals and review. Get executive support for streamlining procedures.
5. Maintain relationships with key external stakeholders, such as law enforcement.
Know who to call and when, and know before an intrusion occurs. For instance, the FBI Cyber Crimes unit investigates cyber-based terrorism, espionage, computer intrusions, and major cyber fraud.
6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
Have third-party experts at the ready. Involve them with your exercises so that processes will flow smoothly in the event of a an actual breach. They can also help spot weaknesses in your procedures.
7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
It needs to be concise, well-organized and easy to follow. Documentation should be available electronically off-site, but you can also have a paper copy in case your entire network goes down.
8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
Exercise often to keep people on their toes. This will help ingrain the process into their thinking so that when an incident occurs, they’ll be ready to respond.
9. Identify the individuals who are critical to incident response and ensure redundancy.
Consider whether an Incident Command System structure would be merited for your processes. This structure is designed to ensure that people know their roles and to foster good communication within the team.
10. Train, practice, and run simulated breaches to develop response "muscle memory."
The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers' awareness and fine-tuning their response capabilities. Conduct exercises that are as realistic as possible, particularly for the most serious scenarios. Simulate the actual damage that would occur in a real-world attack.
Executive sponsorship is the key to an effective response plan. As the authors remark,
Putting the development of a robust plan on the fast track is imperative for companies. When a successful cyber-attack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, "What did this institution do to prepare?"