It is highly likely that an organisation will face a cybersecurity incident of some sort at some point in its lifetime, regardless of the level of cybersecurity defence in place. In KPMG’s 2018 Global CEO Outlook, a representative group of senior leaders ranked cybersecurity threats as the second highest risk to their firm’s future growth. Yet, many historical breaches show that security incidents can be survived. And when managed well, your response to them can be an indication to your partners and customers that your organisation takes security seriously, writes Maarten Van Horenbeeck, Board Member, Forum of Incident Response and Security Teams (FIRST), which has its annual conference in Edinburgh, from June 16 to 21.
A business leader can make a wide variety of cybersecurity investments, ranging from prevention, to detection and incident response. It’s often challenging to determine the appropriate level of investment in each area, as each is important and contributes to an organisation’s resilience against cyber threats.
Many organisations develop Computer Security Incident Response Teams (CSIRTs) as one capability to address security incidents. These teams follow a widely understood methodology that prepares for an incident, detects, triages and analyses it, works to contain and remediate the issue, and finally performs post-incident activity which typically includes a post-mortem. But even when your business is too small to invest in a dedicated capability, there are a few things you can do to make your organisation more resilient against an incident.
Planning for a security incident
Assign a clear incident leader. During a response, coordination is needed across many teams, including Security, IT, Engineering, Legal, Human Resources. In most cases, technical response work will not all be conducted by a single team. However, organisations benefit by having one clear authority within the organisation who defines the process that will be followed, and focuses on planning those interactions ahead of an incident.
Manage the information gap. Plan ahead to have a communications lead, who works closely with the incident leader, and works to satisfy third party information requests from across the organisation. During an incident, there will be a large set of requests for information, with a small team actually investigating and developing the deliverables.
Build relationships with the incident response community. Effective cooperation during an incident is about trust. When an incident strikes, it’s too late to build it. Have your team engage with business partners, national CSIRTs and service providers before you need the relationship. Join relevant organisations in the field, meet their security teams at conferences and industry working groups, or use existing mechanisms such as a vendor review process to determine and track the right points of contact early on.
Retain external legal, PR and technical support. There will be technical skills not available to your team. These may include legal, public relations and technical support, such as crisis management or disk forensics. Find a provider for these services and sign a retainer, before the incident strikes.
Study applicable reporting requirements. You may have made commitments to your customers on how quickly you’ll inform them when data is breached. Even if you haven’t, various reporting regulations are now in effect, such as the GDPR, where organisations typically have up to 72 hours to gather relevant information and report to the appropriate regulator – or the European Union NIS Directive, according to which specific Digital Service Providers must report “with no undue delay”. Understand each requirement ahead of time, so your incident response process takes them into account.
Exercise, exercise, exercise. It’s a common misunderstanding that security exercises are only important once you’ve achieved a certain level of maturity. In fact, exercises pay off from the very beginning. Take a scenario that affected another organisation, and perform a table-top walkthrough of how your organisation would deal with that same incident. At the very least you’ll identify gaps you still have to address.
Responding effectively and managing risk
Communicate often and early. When a security incident is known to the public, it’s important to acknowledge it early, even if you can only state you are investigating. This helps ensure that affected parties understand you are working on it, and will be a source of information in the future. Providing regular updates helps ensure a cadence, so they will come back at regular intervals and will feel less inclined to go look for information from other sources, which may be inaccurate.
Be truthful and straightforward. End users lose trust when communication isn’t clear and understandable, or if they feel you are not expressing what truly happened. Be clear and write to the technical level of your users, but don’t make things sound better than they truly are. When end users are exposed to risk as a result of your breach, say it.
Don’t lose track of the basics. “What would have happened if this took place on another system?” is valuable information, but you should first focus on the key questions you need your team to pursue early on. Higher priority questions typically include: “How did the breach take place?” and “What customer data is affected?”. Failing to reach basic agreement on the impact of an incident can cause delays and confusion later.
After the incident
Study and document your response. The most important phase when handling a security incident is the “post-mortem”. It’s almost impossible to prevent all incidents from happening, so this is a chance to review why this one took place, and identify ways to improve your program. Ask the “Five Why’s”: every time you believe you have an answer to why the incident took place, ask for a deeper, underlying cause, until you hit at least five levels of “Why.” Address all levels, and focus on the deeper, underlying ones, as they will lead to other, future incidents if left unaddressed.
Never let a good incident go to waste. Because it so clearly illustrates both needs and impacts, an incident is often the best time to get additional investment to prevent the next one. Make sure to clearly communicate what your security program needs to be more effective, and create follow up plans to get buy-in from senior leadership in your organisation.
Share your learnings. As a community, we can only become better if we actively share information on the cybersecurity issues we experience. Airlines are so safe exactly because every failure is scrutinised and shared in detail with others, and action plans are made by airlines regardless of who was originally affected. By sharing your learnings, other community members have an opportunity to learn, and the internet becomes a safer place to socialise and do business.
Taking these steps, your organisation will be in a better place to effectively respond to a security incident. Finally, I encourage you to think of your organisation in the context of a supply chain. Most organisations care about a breach of customer information. But even more persistent and concerning can be the effect your products and deliverables have on other organisations. If you’re in such a position, for instance as a B2B provider selling hardware and software, or providing a service that when interrupted, would impact critical infrastructure, the narrow definition of a data breach may not be what you are most concerned about, and you’ll have different risks to analyse and address.
About Maarten Van Horenbeeck
He’s a Board member and former chairman of the Forum of Incident Response and Security Teams (FIRST), a global association of cyber security teams, with over 400 members in 87 countries. He is chief information security officer of Zendesk, a customer service and engagement software company based in San Francisco. He holds a master’s degree in information security from Edith Cowan University in Western Australia and a master’s degree in international relations from the Freie Universitat Berlin, and is a fellow in New America’s Cybersecurity Initiative.
