Cyber Security Awareness - Blog series: 5
In our last blog we asked readers if their approach to and strategy for cyber incident response was ‘good enough’. Hopefully you will have had time to consider this broad question, and at least assessed whether you believe your plan to be sufficiently effective.
No two cyber incident response plans will (nor should) be the same. How can they be; cyber incident response is an intimate set of decisions, actions and processes that apply to your business and your people – there’s no ‘copy and paste’ option for such a critical component of your wider business response, recovery, and business continuity efforts, or at least there shouldn’t be.
That said, there must of course be structure and consistency of language. Multiple business stakeholders will have roles and responsibilities within the plan, and so it must be developed to cater for and be usable by all. Yes, it is likely that your technical and IT security teams will require a more detailed set of plans that delve into the 1s and 0s of technical incident response, but for this blog we are going to focus solely on the business response to cyber crises.
Before we get into the plan in a little more detail, we must first address the obvious – cyber incident response, in the real world, can be scary. Typical human emotions will kick-in, and you’re going to be expected to make business critical decisions without full knowledge of precisely what’s happening to you and your business. Did I mention that you’re likely to have only minutes, not hours or days, to make these decisions?
I’m sorry it must be like this, but that is the reality - you are going to feel stress, pressure, panic, and confusion; hopefully you can take some comfort from knowing that these emotions are totally normally and are indeed expected. If cyber incident response was a stroll in the park, well, we wouldn’t be here talking right?
Here’s some key points for business leaders to remember at this stage:
Instead of telling you what should be in your plan, I believe a more effective and personal approach, at this stage, would be to focus on the basics of the plan.
The following questions should help prompt business leaders into thinking about their response to a cyber incident and highlight gaps in knowledge or process, which in turn may act as a baseline to further develop or improve activities. Whilst your IT and security teams will manage the technical response, it is the leaders who will command and control the overall effort. Are your leaders ready and prepared for that?
Question 1: First and foremost, do you have a formal and documented cyber incident response plan?
Question 2: Hopefully you responded ‘yes’ to the first question, if so, where is it and who controls your plan? Can it be accessed if systems are down?
Question 3: Will you activate your Crisis Management Team (CMT)? Who is involved, when will it be activated and who will make that decision? Do you know how and when to declare a cyber security incident or crisis? Have you established escalation thresholds i.e., what events would require escalation to business leaders?
Question 4: Do business leaders know what actions and decisions are their responsibility within the plan? Who will be Responsible, Accountable, Consulted and Informed throughout your response process? The eagle-eyed will have noticed a reference to a RACI – RACI matrices are great way of visually articulating who is responsible for what.
Question 5: Do you have a recognised structure of delegated authority? Do all stakeholders understand what roles and responsibilities are delegated by business leaders to the likes of your IT teams? For common cyber threats (e.g., ransomware), have you established incident decision-making diagrams or flowcharts in advance to pre-empt what your response actions may be?
Question 6: How will business leaders and associated parties communicate? Are you located at the same physical site? If not, what systems will you use to co-ordinate your response efforts? Do you have names and contact details (including alternate details) for key plan participants and their deputies?
Question 7: Have you prepared any incident recording or evidence gathering documentation? These might be needed as part of any post-event investigation, so best to have them ready.
Question 8: Have plan participants familiarised themselves with your communication strategies, and do they know how to engage with customers, vendors, and any applicable regulatory requirements? Have you developed any incident response template holding statements to support swift communications?
Easy right? I mentioned earlier, a cyber incident response plan is unlikely to cover every eventuality. However, by responding to the questions above and subscribing to a proactive approach, your business can feel assured they are taking positive steps to building a robust responsive plan – one built for you, and by you.
