By: Mark Hoffman, MBCI, CBCP

Recently, a client asked me to review a Cybersecurity Response Plan template that they had purchased from a ‘leading’ research organization.  This 21-page document was intended to be used by my client’s IT department in response to a successful cyberattack against their organization.

It is not my intent to bash or ‘throw shade’ at the service provider or their document – although it is important that I reference the document’s shortcomings in order to make my point.

The “Security Incident Management Plan” instructs the reader to “use this template to outline the high-level response process”.  It goes on to say that there will also be “runbooks” created to handle specific incidents.  In addition to this document and the six identified runbooks, the proposed approach includes no fewer than six additional documents that would be referred to at time of crisis.  So far, we’re up to 13 documents that would (or could) be referenced depending on the nature of the attack.

As if the sheer volume of documentation wasn’t enough of a hinderance, organizations will soon realize that while these ‘plans’ and ‘runbooks’ cover a good portion of what needs to be addressed during a cyber incident, they ignore several critical components of an effective response. 

Related: PX Podcast – Cybersecurity Simulation Exercises an Interview with Heather Engel

The plan attempts to create an organization-wide approach to incident response, but it assumes that IT is facilitating the entire response.  The document is clearly written from a technology point of view and only gives passing suggestions (at a very high level) for what the non-technical teams could be doing during the various (technology focused) incident response phases of Analysis, Containment, Eradication and Recovery.

There is no mention of how to deal with insurance.  Nothing about decision making pertaining to paying ransom, engaging law enforcement, or reporting a privacy breach.  There is very little regarding crisis communications.  This is, at best, half a plan.

Had this document been called the “IT Cyber Incident Management Plan” – I wouldn’t have given a second thought to its IT bias.  In that case, I would have suggested that they remove any reference to non-technical teams (Legal, HR, etc.) and I would have suggested a second document that could be used by the Crisis Management Team.  (That’s not uncommon by the way.  Most of the time IT has a technology focused plan and the CMT has a business focused plan.  The two plans are connected by ensuring that the Cyber Lead is a core member of the Crisis Management Team’s response.  The Cyber Lead shares details of the attack with the Crisis Management Team and is the cyber SME during the business response).

I met with a colleague of mine this week to discuss one of his clients.  He’s in the cybersecurity managed services industry and he was telling me that in addition to his client’s many security vulnerabilities, they have no capability of managing the incident from a business perspective.  No crisis management plan.  Nothing from a business continuity perspective that will guide them through the process.

His client has the same problem that this service provider has.  They are both focusing very heavily on the technology aspect of the recovery and very little else.  The result – they aren’t prepared to effectively handle a cyberattack.  And they’re not alone.

Responding to a cyberattack is not JUST an IT issue.

I think of Jack Nicholson’s character in “A Few Good Men” every time I make this point.  It’s the part of the movie when he’s in court and he says, “you want me on that wall…you NEED me on that wall.”  That’s how I feel about our IT colleagues.  They’re the ones handling the technology focused response, dealing with containment and eradication.  We are most certainly dead in the water without them.  What I’m suggesting (and know to be true) is that this goes well beyond just being an IT issue and the response should be coordinated across the various subject matter experts in the organization. 

Your organization will be equally lost if you don’t engage your Senior Leadership Team in well-defined  roles during your response.  In other words, we need THEM on that wall too!

Having IT handle the crisis management component of a cyber response is like having your Marketing team take charge of your forensic analysis. It’s like asking your accountant to manage a new server deployment.  It doesn’t make sense, and it’s problematic for two reasons.  First, IT already has their hands full containing and eradicating the attack.  Second, they’re simply not the right people for the job.  Responding to a cyberattack is serious business and you want your best people involved, focusing on what they’re good at. 

Done properly, a cyber response plan is built collaboratively with subject matter experts from across the organization.  In addition to your technology team, you will want to engage your Data Protection Officer, Lead Counsel, Head of Marketing / Corporate Communications, Risk Officer, Finance (or whoever is well connected when it comes to cyber insurance), the head of HR, and someone from your most critical business operations teams.

Each of these people have a key role to play, not only in the response phase – but during the planning and building phase, when you’re laying the foundation of what your response will look like.  (I get into this quite a bit in my course on this subject – see below).

Focus on crisis management and resilience.

It could be fatal to ignore the business impact associated with a cyberattack.  A recent survey showed that 66% of those responding said they would avoid doing business with a company that mishandled a data breach.  Are you willing to lose up to two-thirds of your customers because you based your entire cyber response on a technology focused plan? 

A good cyber response MUST have a parallel workstream that focuses on mitigating impact to the organization, handling legal and privacy matters, communicating effectively, managing insurance requirements, and making good decisions. 

In the course I developed and teach on this topic, I encourage people to give thoughtful consideration to their response as they develop their plan.  Identify your communication requirements ahead of time, build usable communication templates, understand what key decisions you’ll need to make and prepare accordingly.

Conclusion.

I’ve opened up countless presentations at conferences and webinars with the following statement:

For years, organizations have treated cybersecurity as a risk that IT could face alone.  Those days are gone!  Beyond IT, companies need to add a crisis management and business continuity component to their cyber response.

Organizations must understand how they are going to navigate through the legal and privacy minefield, what their communications requirements are, how the incident impacts the business and how to make good decisions.

Yes, we need IT on ‘that wall’, but they can’t stand there alone.

~~~

Mark Hoffman is an award-winning Continuity and Crisis Management Consultant.   He is the winner of the 2021 Business Continuity Consultant of the Americas award.

Mark has global reach.  He is currently providing thought leadership, business continuity, crisis management, cyber response and crisis communications consulting to customers in the US, Canada, UK, Sweden, France, Germany and the Caribbean.

He is a frequent speaker at industry leading conferences, and a collaborative contributor on webinars and podcasts.

Connect with Mark on LinkedIn – Mark Hoffman, MBCI, CBCP.

The Principles of Effective Cyber Response is a two-session online course that covers an often-overlooked aspect of cyberattacks – Crisis Management.  Using a prominent cyberattack case study as the backdrop for the session, this course will focus on key components that should be part of every cyber response plan.  

This course will run next on August 10-11, 2021. CLICK HERE to learn more and to register.