Another day, another cyber hack. As the names of humongous, household companies are splashed across the news after falling victim to cyber-attacks, we become more jaded to the fact that breaches are going to happen and personal data will be spilled. But this general complacency doesn’t mean companies won’t undergo intense public scrutiny in the aftermath of a hack (albeit some companies blazed the trail for their corporate brethren).
Effectively planning now can help produce an effective public response later, even in the fog of war…especially in the fog of war. To highlight passage of the Cybersecurity Information Sharing Act (CISA) in the Senate, we outline key factors the business community should take into account as they contemplate how to respond if it is their company making the cyber news.
1. Institute a “when” - not “if” - mentality.
The threat of a cyber-attack is what keeps Fortune 500 CEOs up at night.
Global banks, for instance, face upwards of 10 million cyber attacks per month. When you couple hackers’ relentless mission with the fact that companies have to get it right each and every time—and the hackers only have to get it right once—and the odds are not in Corporate America’s favor.
Massive cyber breaches over recent years have assailed big box stores, financial institutions, health care providers, social media sites and even the U.S. Government. The hacking community has an infinite agenda, with each individual—be it some bored guy operating out of his mom’s basement or the cyber wing of Pyongyang’s intel ops forces—having his or her own personal cause. Indeed, history shows that cyber attacks don’t discriminate against size, mission, industry or political leanings. In fact, those very attributes are the reasons some are targeted while others are not. Translation: No one is safe.
So what does this all mean? Companies should operate under a “when” not “if” mentality when it comes to cyberterrorism. Across the globe, corporations, governments, NGOs and other entities are rightly pouring vast amounts of funding and resources into safeguarding their systems, employees and customers from falling victim to cyberterrorism. But what happens when all of those protections fail? Do you have a plan in place when your sensitive customer data has been spilled, your websites have gone black, the phones are ringing off the hook with press inquiries, and Congress has kindly requested your presence at an upcoming hearing in your honor?
Wait…you do have a plan, right?
2. Have a “break the glass” plan.
Drafting a credible cyber attack response plan is a time-consuming and costly measure, but a pretty important one at that. Some question its value: “How helpful can it be since it doesn’t take into account the exact scenario we’re facing? It was drafted two years ago…isn’t the information stale? We’ll be in crisis mode—will we really have time to pull this out and start reading? ‘Chapter 1: You’ve been breached. What’s next?’”
Will the plan be valuable? Yes. Will you read it word for word? No.
In the fog of war, it’s easy to leave critical people out of the room, overlook key constituencies, divert focus away from one area to support another, and basically stop communicating effectively. By putting those key elements on paper and having those policies in place, you will drastically improve the effectiveness of your across-the-board response, helping to ensure the right people are working size-by-side in pursuit of the same outcome.
That said, the reactive press statement drafted for the plan probably goes straight in the trash and you start fresh.
3. Practice, practice, practice.
Your company should be simulating a cyber attack. And then simulating another one six months later.
The government has been doing “tabletop” or wargaming exercises for years—simulating a negative scenario and essentially working through the response. This became a more regular practice post-9-11, when not only the government, but also companies, were holding dry runs of their response to a terrorist attack. In the case of cyber, the U.S. government has even partnered with the private sector to simulate a major cyber attack.
Tabletops should be comprehensive and realistic. It takes serious planning to create a credible scenario and inject effective variables. It also takes serious commitment to get key officials from across a company to devote an entire day to seeing through a broad exercise, holding a postmortem discussion, and then spending the following days or weeks updating your “break the glass” cyber plan with key takeaways.
Of course the tabletop will not 100 percent prepare you for an actual breach, but having the right people in the room thinking about the right responses for the right constituencies will greatly advance that goal.
4. Make friends with your government affairs team.
When a company suffers a breach, Congress will want to know about it sooner rather than later—and certainly before the media finds out. But you should be laying the groundwork with those same elected officials far in advance of a breach.
Establish a dialogue with key legislators to privately demonstrate the seriousness with which you take cyber security and all you are doing to bolster your defenses. Make cyber one of your CEO’s top tier talking points for meetings with elected officials. Get your cyber and info security experts to Capitol Hill to help educate Congress on the threats faced by your industry and how they are evolving, while looking for ways the government and private sector can work together to keep one step ahead of the criminals. This groundwork won’t buy you a “get out of jail free” card when you are breached, but it will garner you some allies to help mitigate the Washington blowback.
5. Don’t put a target on your back.
Resist the urge to publicly brandish how much you’ve increased your cybersecurity budget or how many employees you’ve charged with keeping your company, clients and systems safe online. You’re basically extending a challenge to the hacker community to test your defenses and you might as well have written the news story that will run saying you were overly confident and wasted countless dollars and resources. If you have shareholders, they will love reading that.
Bottom line, as much as you want to make the public aware of how hard you’re working to keep the hackers out, that egg on your face will be hard to wipe off in the midst of dealing with a breach.