Different organisations place cybersecurity ownership at the feet of different roles. Some see it as a senior executive responsibility, others assign it to a specialist team. Outsourcing to a managed security provider is another option.
IT experts naturally fill the central position when an incident occurs, but in the aftermath of a breach, many of the people you’ll need to rebuild and get back to normal operations may find themselves sat on the sidelines.
Incident response teams need security experts who can identify the cause and source of a breach, then contain it. They also need the strategic and personal expertise of employees who may not be tech experts, but who will be invaluable to the process of returning to smooth operations.
Other departments have a role to play when a security incident occurs:
- Senior executives need to be involved immediately for overall guidance and to ensure the resources, funding, staff, and time needed for incident response are assessed and approved quickly.
- Legal teams need to provide counsel regarding liability issues when an incident affects customers, partners, or the general public.
- PR needs to be working hourly with the incident response team to ensure that appropriate information is shared with the press and other stakeholders.
- HR will need to be involved if an employee is found to be involved in an incident in some way – a very likely scenario given the scale of the insider threat.
Mission-critical concerns about containing threats and further data loss can mute the contributions you need from these non-tech experts – but also from front line staff, who also need a distinct and well-defined role in your incident response plan.
Communications are essential
Communicating effectively to customers, partners and stakeholders during and after a breach is a significant challenge. Allowing too much ambiguity or long periods of silence creates an information vacuum that people will fill in with speculation. Misunderstandings between incident response team members can cause delays. Staff at every level may not know what to do or say if questioned by customers or the press.
That can delay returning to normal – and delays cost money. A 2018 study by IBM and the Ponemon Institute shows that organisations able to contain a breach in less than 30 days saved over $1 million compared to those that took more than 30 days.
It’s not just what staff need to say, but who to say it to, and in what order of priority. Depending on your organisation and the audiences you need to reach, it might make sense for PR, marketing, and customer support teams to be given different messaging guidance for different audiences.
For example: while transparency and honesty are core elements of successful crisis communications, when a breach is first discovered an element of need-to-know should be factored in. Key incident details, how the compromise was spotted, adversary tactics, and how you’re responding need to be shared carefully in the early stages to avoid tipping off the hacker, which could lead to tactical changes that further mask their activity.
Care also needs to be taken with the communications to the wider workforce. Employees who aren’t at the front line of the incident will nonetheless be drawn into conversations about it, and these can seep outside of approved channels. You want to prevent rumours and speculation so plans and systems need to be in place to arm employees with information ASAP.
The incident response plan should reflect this, with assigned responsibility for internal and external audiences, which channels will be used for reaching each one, and escalation steps based on the severity of the incident.
A simple incident response communications model:
Video or presentation
Legal, HR, PR/comms
|Within 60 minutes
|Within 60 minutes
Within 24 hours
Within 4 hours, EOD
|Benign||IT and finance||As needed|
Practice makes resilient
Once response plans have been worked out, they need to be practised repeatedly. In a real incident emotions run high, and people may forget the playbook procedures they agreed months ago. Unfortunately too many incident response plans – no matter how well conceived – sit on shelves collecting dust until an attack hits.
As it is in security awareness training, so it goes for incident response plans. They need to be tested and simulated against real-world scenarios. This way you can surface any hidden weaknesses and observe how people respond ‘in the wild’ when confronted with a crisis.
What you learn in simulations will help you ‘build muscle’ around your pure IT capabilities and mirror the technical aspect of the response plan with a communications plan covering key audiences: customers, partners, press, regulatory, and law enforcement.
Sharing ownership for cybersecurity
Everyone in the organisation has a role to play in cybersecurity. Companies can promote this in an ongoing way with security awareness training, but it is just as true in the aftermath of an attack. Cyber criminals are weaponising staff, who often become the source of a breach inadvertently by falling victim to a phishing scam.
We can turn the tables on criminals by arming employees with the skills they need to identify an incident or attempted breach quickly, and then making them a damage mitigation force – armed with information and helping seed confidence that the business is on top of the situation, knows what’s happened, and is taking steps to fix it.