Another question to consider: Is there a clear plan for response, including incident and crisis communication?
The Driver Behind This
Incidents are going to happen, it’s not a matter of if but when. Whether it’s a result of you being placed in the crosshairs by a sophisticated adversary or an employee who has a laptop with personal information stolen out of their locker while at the gym, the organization’s leadership must be engaged. Understand, this is not an IT function, this is a joint effort and means having the appropriate authoritative representatives available and ready. Ensure general counsel is engaged to address any regulatory or privacy implications, the corporate communications lead is effectively communicating with the media and identified staff are sufficiently trained to answer questions from concerned customers. Engage with the appropriate team members from IT Operations, Information & Cybersecurity to understand what happened from the technical aspect; as well as internal audit teams to understand what control weakness allowed the incident to occur in the first place. Based on the type of breach, you may have to notify third parties such as Attorney Generals, specific payment card brands (e.g., Visa, MasterCard) or a federal agency (i.e., Department of Health and Human Services).
Processes, Practices, and Activities That Address This Question
Having a pre-defined, properly trained incident response team is essential if you’re going to enact your organization’s incident response plan. This is especially important when you’re considering a newsworthy, public incident that is going to require notification of either your customers or regulators. This means your “cybersecurity IR plan” isn’t just cyber focused. Senior management needs to be involved. In addition to having a well thought out incident response plan and incident response team, you need to test your plan. Whether that’s through planned tabletop exercises or unannounced tests – you need to test your plan! If you can’t point back to a recent test to assess how well (or poorly you did), plan one now.
Additionally, as previously mentioned, having a solid, current inventory of where your assets reside (i.e., on-prem or offsite) is also critical to success. This considers all those ingress/egress points into your organization where an adversary may be able to gain access and establish a foothold into your environment.
- “Making IT solely responsible for incident response.”
- “Not following the plan.”
- “Believing it will never happen to your organization.”