Cybersecurity affects every team, organization and industry. Many attacks can be categorized as high-magnitude crises with potential impacts that threaten the credibility, and perhaps even the survival, of affected organizations.
Counterintuitively, the best time to respond to a cyber attack is before it occurs. An organization does not have sufficient time to complete the necessary steps for optimal response in a moment of crisis. One must act quickly and comprehensively when a breach is discovered to mitigate greater liability. Below are five critical, non-sequential, but parallel steps each organization must take to effectively deal with an attack.
- Mobilize the incident response team
An incident response team should be formed with all relevant internal stakeholders. This team includes technical workers to investigate the breach, human resource and employee representatives, intellectual property experts to help minimize brand impact or recover stolen information, data protection experts where personal data is involved, and public relations representatives. A number of legal implications can occur around a cyber attack, thus it is vital to seek legal advice as soon as an attack is discovered and check whether losses are covered under the existing business insurance policies.
- Secure systems and ensure business continuity
The first key technical steps once a breach is detected are to contain the breach, ensure IT systems are in order, and isolate or suspend the entire network or the compromised section. Suitable measures should also be in place to ensure that any network or other intrusions are detected immediately.
- Conduct a thorough investigation
An investigation should be carried out regarding the facts surrounding the breach, its impacts and remedial actions taken. Where there is potential employee involvement in the breach, the investigation will also need to take into account any applicable labor laws, and the investigation team should therefore consult and involve HR representatives as appropriate. All steps taken by the investigating team must be documented because they may be required when submitting a regulatory notification.
- Manage public relations
This will be a key requirement of the incident response team, particularly where the organization involved is a consumer-facing organization. Not all security breaches will become public, but for many it will be inevitable. Being timely, open, honest and accurate is crucial when making public announcements.
- Address legal and regulatory requirements
Regulatory notification requirements may apply in the event of a breach. Most jurisdictions do not (yet) have specific all-encompassing cybersecurity laws, but often a patchwork of laws and regulations exist in response to evolving threats. Some laws will apply universally across sectors, while industry-specific legislation is continuing to develop and target the most at-risk sectors – for example, financial services, critical utilities infrastructure and telecommunications. In the US, the legal patchwork includes: the National Institute of Standards and Technology Cybersecurity Framework, which consists of standards, guidelines and practices to promote the protection of critical infrastructure; and Executive Order 13636, which, among other things, expanded the existing program for information sharing and collaboration between the government and the private sector.
If you would like to learn more about how your business can be respond to a cyber attack, join the Chamber’s Cybersecurity Leadership Council at our Lunch & Learn event on October 22nd at the Salt Lake Chamber Offices from 12:00-1:00 p.m. Register here.
Sourced from Andrew Moir, Nick Pantlin and Miriam Everett, Herbert Smith Freehills LLP, Ben Rossi Information Age, Melissa R. Bowers, J. Reggie Hall, Mandyam M. Srinivasan, Business Horizons (2017)