When Spanish telecommunications company Telefonica was infected by ransomware in 2017, it reportedly advised staff to switch off their computers – the technological equivalent of playing dead, but considerably more costly.
Panic is not an effective data security tool. When your company’s defences have been breached and your confidential information is at the mercy of hostile forces, a robust incident management plan is crucial. The challenge is to get it right.
This type of strategy should have two important roles. It must help to contain and address the breach and it needs to maintain a basic level of service. This implies a multi-layered reaction led by intelligence, behaviour and communications. It also implies that you know what your most essential services are, understand how they are linked and have a back-up system (think of it as emergency lighting) to keep going in a crisis.
Every incident management plan will be individual to the organisation it serves, but could include:
- a checklist or flowchart on how to recognise a data breach and what action needs to be taken if certain circumstances are met – pressing the red button and calling the troops won’t always be appropriate;
- procedures for your response team: who does what and what level of authority does each team member have;
- information on secure, reliable methods of communication to ensure you can communicate with confidence when the main system has been compromised;
- advice on when and how to activate the back-up system;
- details on reporting a breach (you may have to notify the Information Commissioner’s Office, your customers and other affected parties within a given timeframe);
- information on who is authorised to speak to the media;
- procedures for conducting a post-incident investigation – what questions will you need to answer, what information do you require and who is responsible for getting it?
There is lots of information online, including cyber incident management templates. CREST, the international information security accreditation body, has produced useful guidance on how to recognise and deal with cyber incidents. Additional tools to help you assess and test your incident management readiness and capabilities are available here.
So, how do you get your incident response right? First of all, every single part of your plan needs to be ‘active’. Monitoring systems, for example, need to be kept up-to-date and information needs to be seen, analysed and acted upon. An all-singing system that churns out data you don’t have time to look at or only half understand is neither use nor ornament.
Secondly, data security should never begin with a catalogue of hardware and software, and your incident response shouldn’t focus solely on repairing the tech. High quality technology and secure communications apps can play a crucial role when managing a cyber incident but data security is a state of mind. It’s the place you arrive at when you sit down with your fear and think carefully about how you can make it hard for attackers to get in, how you can detect their presence as quickly as possible, and how you can minimise damage and keep your business running.
An organisational culture of awareness is the backbone of an effective incident response. Of course, technical expertise and leadership are crucial when managing an incident, but if information integrity is seen as the preserve of ‘that techie from IT’ or that nifty bit of search-and-destroy kit you’ve purchased at great cost, your data will be more vulnerable than it needs to be. Data security is everyone’s business.
Thirdly, test, test and test again. Regular drills should be part of your incident response procedures. Testing will pick up any issues with the system such as convoluted processes, communication systems that don’t work or people having insufficient authority to take key decisions. It will also help your incident response team gel so that when a real incident arises everyone knows exactly what their role is, how it fits with what everyone else does and what to do if one team member isn’t available when crisis hits.
As your organisation grows and changes so should your incident management plan to ensure it remains fit for purpose.
Finally, I’d stress the importance of staying calm. Appearing flustered and out of control can cause jitters in the market, losing you customers and, if you are a publicly listed company, share value. Don’t publicly speculate about what has happened, don’t hide key facts and never lie. Confidence is currency, and, like all good incident response plans, it will help you contain the breach, limit the damage and keep trading.
By Phil Chambers, Chief Operating Officer, Metro Communications
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.