If your organization was hit with a cyberattack, would you be prepared to deal with the ripple effect of the impact? In the unlucky event where your organization is found vulnerable, you need to ensure that your teams are prepared to act.
We’ve heard it said again and again, it’s not about preparing for “if” your organization will be at the receiving end of a cyberattack, it’s about preparing for “when” it occurs. Let’s face it, everyone is a target.
You may be asking, “But, am I really a target?” Consider the following:
- Do you offer a product or service?
- Are you storing confidential data?
- Are your employees connecting in from an unprotected network?
If you answered yes to any of the above, your company is a potential target. And – that’s OK, if you are prepared.
A well-baked plan requires two things: a process and a team to handle any incidents that occur. This team doesn’t start and stop with your SOC, it involves multiple people within your organization.
First, start with a small focus group that lays out the groundwork. This group can outline what you have to protect, potential incidents that could occur, and what steps are needed to remediate an issue.
All this should be laid out BEFORE your organization experiences an incident.
So, who belongs on this team?
This could be a larger group than most realize, especially depending on the size and scope of the attack. At the very core, this group could consist of: IT resources, an incident response lead, SOC team, Hunter team and product and subject matter experts. This core technical group, in particular, can best understand what damage was done and potential ways to remediate.
However, there will also need to be C-level involvement, as certain decisions can only be made at that level.
A few other core areas to include in your emergency management plan are HR (What data was accessed, and does it impact employees?), finance (Did anything material happen?), communications (How will you communicate efficiently and effectively both internally and externally?), and legal – who may also want to establish relationships with law enforcement, particularly the FBI, in advance.
Each of these areas should have their own mini crisis plans based on their area of expertise. These standard operating procedures may change when on the ground, but they should offer predefined guidelines that vary based on the priority level of incident.
For instance, how the group responds to a down call center would vary greatly to how the group deals with a ransomware or nation-state attack.
It’s recommended that this crisis management group get together on a quarterly or bi-yearly basis to review the overall plan. This meeting should include role playing a potential incident and how each member of the group would act based on the situation from start to finish.
This is a great hands-on way to ensure the crisis management team is best prepared for when a real incident occurs.
Part of your plan should also include a post-mortem briefing after an incident is remediated. Gathering feedback from each respective team member is critical to reevaluate tools and techniques used to plan for future incidents and responses.
This could include:
- Whether the incident wasn’t declared a priority fast enough;
- How well things were communicated to the c-suite, employees, customers, or partners (all of which likely require various levels of information);
- Any roadblocks or obstacles that the team encountered while trying to remediate; or
- How well the team communicated with each other.
Recently, Jim Gogolinski detailed many other aspects to consider when building your crisis management plan. Watch his on-demand webinar on how organizations can best prepare for a potential cyberattack.
On January 5th, Jim will also host the webinar 2022 Cybersecurity Forecasts. Register here to lock in your spot.