By Paul Ferrillo
Intelligent responses depend on three elements:
1) Incident Response Planning
2) Business Continuity Planning
3) Crisis Communication Planning
There are numerous articles and memos deal with the topic of incident response, business continuity, and crisis communication plans. Many have been distributed through media outlets even. So you may be asking: why us, why now, and what more could we possibly offer in this space?
We think the answer is pretty simple: sometimes you can’t get enough of a good thing. Similarly, there are fundamental topics that people still are having problems with. One subject area that evidently needs work is responding confidently to a cyber attack in an intelligent and public manner. There are a great deal of texts and certifications out there on these issues (some better than others of course), but if we could, we’d like to give you some “basic street talk” on these issues. Essentially, we want to present to you the issues in a way that you could discuss while having a coffee or drink.
We won’t name names, but there are real-life examples of “good” responses. You intuitively know a good response. You feel a level of confidence that the company has the facts, knows the circumstances of what has happened, and is going “full steam ahead” to clean up whatever the mess is. Despite the situation being bad, you know that whoever is steering the ship has things “under control.”
And then there are the “other” responses. You intuitively know a bad response also. It’s the one with the bad smell, the train wreck you can’t watch but still want to, and the one where you throw up your arms and say to yourself “are you kidding me?! Did you really do that [or say that publicly?!” In cases like this, you’ll normally see a swarm of regulators, stakeholders, investors, and the public directing a lot of “suspicion” to the organization and its executives.
Like we said, not naming names, but we want to give you some quick thought as to what we feel works and what does not work when you have a cyber train wreck at your fingertips. Here goes:
Incident Response Planning
There are plenty of things that often come up concerning the importance of incident response (or “IR”) planning. First, the importance of having a plan cannot be understated. The worst time to figure out what to do or say if there is in the middle of a cyberattack. For instance, Internet access might get disrupted, files might get encrypted, executives might get fired or suddenly retire, or revelations might occur indicating a major loss of customer information or financial data. All of these issues might indicate a range of problems from either a “manageable” to a “catastrophic” problem depending upon what happened. Problems get further compounded if the company is publicly traded, or is regulated by a federal or state agency (such as the SEC or the NY DFS) where the timeliness and accuracy of disclosures matter greatly, along with the reputation of the company or firm being attacked.
All stuff you know so far. Now comes the moment of not mucking it all up.
1) The IR Plan needs to be practiced often and not left in the desk drawer waiting for the first disaster to strike. Do even the top athletes of the world practice before the big game? Yes. They do. So if the very best need practice for something routine (like playing a game they’ve played their entire life), you can sure as bet you need a lot of practice for something that is hopefully not routine. And practice your IR plan with all people internally, such as the board, executives, IT, HR, and the general counsel’s office. It’s not a bad idea to have an outside lawyer and cyber forensic advisor as well because, in a real disaster, you’re probably going to need them too. Failure to practice your IR plan is more or less the number one “YOU LOSE!” issue we see.
2) We recognize you have limited resources and can’t think of every possible disaster, but you need multiple plans and you need plans to test your limits. Practicing touch football will do little for you if you’re preparing for the Super Bowl. So think small and large breaches in various forms, such as DDoS, ransomware, insiders, corporate espionage, and depending on your size, even nation-state attacks. Make sure all of your plans have mechanisms to notify/activate the right people. This includes law enforcement, regulators, stakeholders, and investors. And plans can’t stay static, so keep in mind that plans need to address personnel changes and organizational restructures. No two cyber attacks are alike, so all IR plans cannot be alike either.
Practice hint: if you are multinational, you should have different regional plans and see if and how they would need to interact, particularly if an attack in jurisdiction A can have an effect on jurisdiction B. Different people involved, different laws, different vendors. You need to know all this stuff ahead of time.
3) Who’s the boss? You need an incident commander. Somebody needs to be in charge (they may be able to hand off if the situation changes) but somebody has to be the boss. Crisis handling by committee usually ends up in a boilover. Identify who needs to be the boss for the scenario at hand and who their support team will be. Sometimes it’s the CEO taking all the hits. Sometimes is the general counsel leading, with the CEO being the public face. Other times it’s a technical specialist running the table internally, but helping the PR team craft the external message. Experienced crisis management firms are helpful for disclosures, but if you go this route, make sure they know have experience in cybersecurity issues, because cyber is an animal we still do not know well. Just be sure to have somebody calling the shots.
4) Timing is everything, especially for public companies that are trading daily on information available to investors. We are often told that we should “just get the information out there” and there is a reason for that advice, but be prudent. Trying to outrun a potentially out of control speeding locomotive without some safety precautions could result in—well, use your imagination. With that said though, don’t sit back to watch and enjoy the show because once that train cross state lines, you may have no control at all. We admit this is not an easy task. You have to find that sweet spot between “doesn’t have its act together” or “is potentially hiding something.”
Business Continuity Plans
Business Continuity Planning (or “BCP”) is an essential part of corporate resiliency. We see them activated for issues like natural disasters (like flooding) and even terrorist strikes. But in the face of cyber attacks, they are more important than ever. Effective BCP helps get you back in the game sooner. This is critical because too much downtime could completely destroy your business. Think of it like this: you have the ability to bend while others are breaking. And just like IR and crisis management have evolved, so has BCP. Therefore, lead with skepticism if your BCP is being conducted by somebody who has little understanding of cybersecurity issues.
Good BCP relies on proper investigation and remediation of attacks. Forensic cyber experts and lawyers are well versed in these issues. And BCP relies on IT experts who create proper, segmented, offline backup media (daily!…and is regularly tested to ensure it will actually work in a time of crisis) so that the endpoints and network assets can be restored quickly and easily. Reminder: #BackItUp!
Here is a thought for your scenario testing and planning: take your busiest day or time period, say Black Friday or the two weeks before Christmas and imagine losing your services to whatever scenario (ransomware, DDoS, etc.). Just play out your nightmare scenario and see how you’d deal with it. PS—we just took out your first line of third-party suppliers/vendors/experts because of supply chain integration. They’re down now too. What do you do now? PPS—Sorry, but don’t say we didn’t warn you!
Just like with IR, review, update, and test BCP regularly. Businesses are dynamic. We have accepted that into our corporate culture. But we have not necessarily adopted the same feeling in terms of continuous improvement for IR or BCP. These are those things where we don’t see return-on-investment until they’re actually needed. Just remember things can always be improved and in this modern interconnected world, effective BCP must deal with the variety and complexity of vendor dependency. Long gone are the days where you could do everything “in-house” unfortunately, so you need to regularly review and update vendor roles and responsibilities.
Crisis Communications Planning
The worst time to exchange business cards is in the middle of a crisis. Over-thinks cause delays. Analysis paralysis can turn a press release into a bunch of gobbledygook. And seriously, do you really want to be doing this for the “first time” during a crisis?
You see, crisis communications are there to manage the intangible, the things that rely on confidence, such as reputation and market capitalization. You may, in fact, have your act together but if the message coming out of your organization seems like utter chaos, the public will make up their mind on that information, not what is actually going on. If you accept for a moment that emotions and images are more powerful in impacting our decision-making over rationality and words, then you see our point of view crystal clear. So toss out the window you are in control of this situation (in terms of how the public views you) and do your best to manage what you have to deal with. Here are a few pointers to help with the management.
1) A pre-meet with the FBI and Secret Service is not a bad thing. In fact, we strongly believe in doing so. Why? Go back to our “worst time to exchange business cards is in the middle of a crisis” comment. Meeting beforehand gives all parties a chance to meet without someone’s hair being on fire (and incredibly reduces the possibility of an errant punch to the face when frustrations boil over). During the pre-meet, you can discuss systems and IT networks. You can also discuss expectations and levels of support. It makes a difference. And of course, you do that good ole fashioned thing called “building a relationship” with persons and institutions. There are instances where a pre-meet, coupled with time and accurate disclosure, have discouraged lawsuits. This is a very good thing. So remember, a friend in need is a friend indeed. And if you got a nation-state or transnational crime syndicate smashing through your network (or being the stealthiest little bugger you have ever encountered), having friends of this kind are good to have.
2) Pre-draft your disclosures for different scenarios. Much like planning for different attacks, having these different templates in your back pocket saves you valuable time. Consider that most significant breaches will require disclosures to regulators, shareholders, investors, employees, and others. The European Union’s GDRP has given consumers a mighty hammer and if you’re not ready for the GDPR, you may be facing a world of hurt on that (keep an eye out for the #CyberAvengers playbook coming out soon which talks more about the GDPR). And some of you may giggle at this, but have some disclosures ready to go with 140 characters. In case you haven’t noticed, Twitter, social media, and bloggers sort of play a big role these days. It’s your way of speaking directly to the people without an intermediary filtering your message.
3) Use people who have experience. This point is the pièce de résistance. As we mentioned above a few times, it is important for all companies to project an air of confidence in the middle of a breach. Confidence goes a long way. It shows the company has its act together. It shows that it understands and appreciates its different constituents. It can move markets. Somebody who understands all these moving parts are a system—not a bunch of individual goals—can turn a crisis into a success within 72 hours. But don’t be fooled, these skills are not acquired overnight. A good way to identify somebody experienced is if they (FIGURATIVELY!!!) have been battered, bruised, full of battle scars, but are still going on with a smile on their face, plugging away.
On a final note, with the advent and increasing prevalence of firm state, federal and international breach disclosure timing standards, time has become even more precious. Having ready-to-go-IR, tested BCP, and executable crisis communication plans not only save you time, but could save you from the enormous tangible issues, like fines and penalties, and spare you the intangible carnage, like stock price drops and reputational damage.
Don’t lose in minutes what has taken you years to build just because you think it is okay to cut a few corners or believe “this won’t happen to me.” As the old vaudeville joke goes: “How do you get to Carnegie Hall? Practice, practice, practice.”