Author: Rick McElroy, Security Strategist, Carbon Black
In my previous blog, I touched on the importance of training and awareness. Today, we will address a related topic –
“Do we have a plan for incidents/data loss? Has it been tested?”
In the modern age of cybersecurity, you must plan for a breach. In 2017, 66% of companies in Asia Pacific reported that they have experienced business interruption due to a security breach. Clearly, the odds are stacked against us and assuming that a breach will happen is a great first step. The second step is to figure out what to do when the breach actually happens.
Does everyone understand their responsibilities during a breach? Do the teams know how to communicate and execute it? In my last blog, I used an example from the Marine Corps to illustrate how consistent training and drills can make a huge difference to the outcome of an incident. The better drilled at this process the teams are, the better their ability will be to handle a real incident correctly under the pressure of being attacked.
When you make practice a routine and make it part of the culture, responding to a real incident won’t occur as a frenzied, unstructured endeavor. Rather, it will be a well-orchestrated process. I want to stress that the cybersecurity team will be busy triaging, getting to root cause and working to close any holes the bad actors came through. They should be able to provide answers to the “Who?” “What?” “When?” “Where?” and “How?” questions to ensure the management team can make an accurate decision on reporting and steps post breach.
You will also need your legal team, PR team, government affairs (if you have one), and compliance teams to understand the parts they need to play during a breach. This is an area where companies have shown to be under-tested and, sometimes, simply making up process as they go.
Remember: It’s always better to have a plan and not need it than to need a plan and not have one.