A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the tenth in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
Small things go wrong all the time and the bigger your organisation the more frequent the occurrence. People will click on phishing links and they will unwittingly try and download malware; production servers will go offline. Most of the time your security controls will kick in or backup servers will spin up automatically; after all, everyone tries to build their organisations to be resilient. The problem is no matter how good a job you think you have done, there will always be a gap; something overlooked, something forgotten. Sometimes what starts as a small issue that you expect to resolve itself can rapidly escalate into a severe incident that can put the organisation at risk. This is where preparation and having rehearsed incident management plans and SOPs (standard operating procedures) can make the difference between a bad day and a traumatic experience.
The key difference between an every day security incident and a traumatic one is business impact. Anything that impacts customers or your ability to service them can have a severe business impact in a very short time. Your Security and/or DevOps teams are likely to be the first people aware of an incident, often within minutes, so it is critical the teams are well connected and have well established SOPs for incident handling and escalation, usually based on business impact or reasonable proxies. These SOPs are likely to include a few very important bits of information:
Roles & responsibilities so that it is clear who is doing what.
An incident severity decision matrix, helping frontline analysts to categorise incidents into Informational, Low, Medium or High severity.
A RACI (Responsible, Accountable, Consulted, Informed) matrix, helping everyone know who needs to be involved and to what extent depending on incident severity.
Clear definitions so that there is no ambiguity.
Whilst most incidents will be resolved by the Security and/or DevOps teams and then reviewed in regular reporting, there will occasionally be incidents that warrant escalation to management or even executive levels. When incidents are escalated to executive level in real time, it is usually because there will be a significant business impact, and it is about to become a much broader team response. These can be extremely stressful and organisationally defining moments that need a level of planning above the SOPs used by the Security and DevOps teams - they need an organisational playbook.
The organisational playbook for managing severe incidents needs to be thought through very carefully. These are likely to be the sorts of incident that can attract media coverage or severely impair financial performance, putting the existence of the organisation at risk. There are a number of considerations that need to be thought through, such as:
Who is going to lead the response? Are there defined impact thresholds at which certain C-Suite executives need to be involved or in the lead?
Are there third party advisors that need to be brought in at short notice? Cyber incident response teams, crisis communications advisors etc. Are relationships established and retainers in place? Are third party advisors part of your rehearsals?
Who is going to lead communication to the various stakeholder groups - Customers, Staff, Investors, Suppliers, Partners, Media? Do you even know who all the stakeholder groups are? Is your CRM sufficiently resilient? Do you know which government and regulatory agencies to contact and how fast?
What facilities and logistics might be needed to support the response? Will staff be called into offices or dispersed from offices? Will staff need to get onsite to data centres, warehouses or other facilities? Are there likely to be travel, accommodation or feeding requirements? If so who is in charge of sorting them out?
Are there immediate financial controls that need to be implemented? Delaying supplier payments to preserve cash for example.
Are you sufficiently confident in the resilience of your internal collaboration and productivity tools such as Microsoft 365 or Google Workspace? Do you have backup plans in case they are part of the issue? If the internet goes down at a key site at a key moment do you have a resilient backup option - for example two fibre lines and a Starlink?
The reality is that it doesn't matter how much time you spend planning, something will go wrong - no plan survives contact with reality. Add to this the reality that most organisations are in a constant state of flux with regular personnel changes, and it is critical to rehearse incident response plans regularly. Whilst front line Security and DevOps teams may be putting their SOPs into practice on a daily or weekly basis, it is important that the management and executive leaders who will have key roles in the organisational playbook rehearse their responses regularly and realistically - ideally at least once a year.
In these rehearsals leadership matters and the tone is set from the top. If the CEO is clearing their diary, getting involved and taking it seriously, the team will follow their example. If the CEO pays lip service to the rehearsal, then the value of the exercise will be greatly diminished and the impact of the next severe incident may be worse as a result.
Your organisation will be judged by the market if you have a severe incident, so of course you want to try and reduce the risk of having one in the first place, but the difference between a sympathetic and scathing market response will often be down to how well you responded to that incident. As such, planning and rehearsing how you are going to respond to a severe incident is a critical part of making sure you ensure the resiliency of your organisation.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇