Cyberattacks have become a permanent and persistent threat to organizations across commercial and government sectors. The question organizations are facing is not if a cyberattack will happen, but when. The difference between the winners and losers in a cyberattack, is how effectively the organization handles the response. The degree of loss and reputational damage (impact on brand value and customer loyalty) from a major cyberattack can be severe and irrevocable. Therefore, senior executives and the board need to ask: “Are we sufficiently prepared to respond to a large-scale cyberattack?”
Be prepared. Be organized. Be ready. Sometimes, you only get one chance.Red Adair, Legendary Firefighter
Tactics for planning for a response
Cyberattack response can be a complicated combination of sequential and cross-cutting components across various lines of business, operating areas, and third parties. Having an effective and comprehensive cyber-response strategy and plan in place will be critical to mitigate and contain the damage. For example, if your company is clearing half a trillion dollars a day, you have got to know that you’ll have the right procedures, the right information, the right analytical capabilities, the right governance, and the right accountable individuals fully engaged when you’re in the thick of a major cyberattack. With this mind, cyber war gaming and insider-threat reviews are becoming more and common across different industries.
Cyber war gaming, the new normal. A powerful approach is to simulate an attack on your organization, based on the threat landscape and attacks upon peers, even in different industries. Ask key questions such as: How will we detect an attack? How will we react and how quickly? Who will be accountable for what actions? How will we communicate with customers, staff, the media, regulators, etc.? How will all this need to be different in different circumstances, say, during a public holiday, a blizzard, or a power outage? This is essentially a form of fire-drill to test and affirm the organization’s preparedness for a cyberattack.
Insider-threat reviews: Ask your employees. Another related approach is to conduct working sessions with employees and ask them: “If you were going to exploit the organization, where, how and when would you attack? What would you do practically? What lack of controls, working arrangements, or access abilities would enable you to do this?”
This in-depth explorative method represents a form of X-Ray through which an organization can understand the true nature of its vulnerabilities. In our experience, those individuals with a long tenure typically know where the weak spots are. Further, while enabling the minimization and containment of external attacks, this exercise is tremendously helpful in preventing internal breaches.
Leading organizations record lessons learned from such tactical planning sessions into a Master Playbook (see “A Master Playbook for Cyberattacks”). This provides a structured solution that incorporates cyber risk management best practices in one execution-focused approach. And, just as they run periodic fire drills, companies schedule routine tests or drills to measure the effectiveness of their cyber defenses across different areas. As legendary firefighter Red Adair said: “Be prepared. Be organized. Be ready. Sometimes, you only get one chance.”
A Master Playbook includes four key components:
- Monitoring and detection systems: Describes holistic escalation processes tied back to risk appetite and analytics-driven triggers through monitoring and detection Systems.
- Governance framework: Identifies defined and tested team structures, individual roles and responsibilities, and governance mechanisms.
- Severity and trigger frameworks: Based on the value at stake, identifies timely response at the appropriate severity level.
- Suite of response options: Maps specific action plans for stakeholders coordinated by a crisis team, for a variety of scenarios and situations.