When Things do Go Wrong

This month, sadly, Tales From the Click has one fewer superfan. That’s because my wife Rachel’s Uncle Cliff passed away recently.

Uncle Cliff was 89 years old; he lived a wonderful life. The truth is, we used to think he might outlive us all.

He was super-fit. Always exercising, especially running (he was a runner before running was even a thing). Many marathons, including Boston the day Rachel was born.

He kept mentally fit too. Up until just a few years ago, he ran a small business shipping medical instruments to hospitals.

And, like any great uncle, he loved telling stories and had a terrific sense of humor. You haven’t lived until you’ve watched a senior laughing as he tries to teach a couple of preteens (my kids) how to dial a rotary phone!

I miss him and I know Rachel and my kids do too. 

When I think about Uncle Cliff, and despite his having done everything “right” in terms of longevity – exercising, staying mentally active, having a great attitude, enjoying close relationships with friends and family – sometimes, health issues catch up with you anyway. There are no guarantees.

The same can be said for your cybersecurity program. You can never eliminate risk, you can only take steps to minimize it. And even then, and despite your best efforts, you can still fall victim to an attack.

So, What do you do if that happens?

Three suggestions….

#1. Plan Ahead

The absolute worst time to plan for a cybersecurity incident is while it is happening! At that point, there will be too much chaos and too little time to make smart, informed decisions.

Instead, you need to get out in front by writing a thorough incident response plan – now. Then practicing it through “tabletop exercises.” No, things probably won’t unfold exactly as you had expected. But as Dwight D. Eisenhower famously said, “Plans are useless, but planning is indispensable.” 

Your incident response planning should include all your key departments, not just the technical ones. Depending on the specifics, there may be financial, legal, marketing, and customer messaging implications that result.

The more time and thought you dedicate to this up front, the less likely you are to be caught flat-footed should an attack succeed.

#2. Contact Your Cyber insurance Company Immediately

Your cyber insurance company is connected to all the relevant vendors and external players you may need. 

Like you, they want to minimize the extent of the damage. Unlike you, they have been through this before. So follow their lead. (Make sure any incident remediation resources you bring in are approved by your cyber insurance, so you don’t have a whopping bill.)

Your cyber insurance company can help with:

• Incident Response Team Coordination. Consultants to help coordinate a response; specialists to stop the spread of an attack; forensic experts to analyze the attack’s scope, origin, and impact (to make sure the bad guys are really gone).
• Legal and Regulatory Support. Experts to ensure you comply with industry-specific laws and regulations; assistance filing breach reports to regulators as required; legal teams to review third-party agreements and obligations.
• Public Relations. PR specialists to write and disseminate statements to maintain customer trust and protect your brand; templates and strategies for notifying affected customers and others.
• Ransom Negotiation. Specialists trained in handling ransomware demands, including safe negotiation, payment, and data retrieval.
• Technical Assistance. Help in restoring systems, applications, and affected networks; guidance on addressing vulnerabilities that may have been exposed during the attack.
• Post-Incident Support. Revising policies, educating staff, improving cybersecurity strategies to prevent future incidents.

#3. Get Back to Normal

Not surprisingly, a cyber attack is very disruptive. Everyone is excited and on alert; you may be in incident response mode for weeks (or longer). 

But when the active threat has been contained – granted, it is sometimes unclear when you have reached that point – you need to declare the incident “over” and move the team back to their regular jobs. That means ending the special meetings and rolling the incident process into standard follow-up. 

This doesn’t mean you stop paying attention. And of course, security weaknesses need to be fixed and extra staff training may be necessary. But resources are not infinite; you need to beware of overreacting by adding security for its own sake or taking your eye off the business of your business.

Continuing to operate in “attack-response mode” will burn out your staff, cause you to lose focus, and ultimately hurt revenue.

My hope is you never have to put any of these steps into action. But you never know, so preparation and smart response is key.

And Uncle Cliff, if somewhere, somehow, you are reading this, I just did 20 pushups in your honor.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.