Like the old words of wisdom “______ happens” (or simply, incidents occur), this is a fact of life. There are troubles you know you’re going to get into and others which you can’t anticipate. However, you can be prepared for each of them. And it is worth doing so, because when incidents occur we go through several psychological phases that affect our decision-making and ability to cope.
Let’s discuss a few angles that will help you get a notion of whether you need a cyber-security Emergency Response (ER) plan or not, or evaluate the one you already have in place. We will cover the Incident, the Response and the Team.
What is an ‘emergency’?
A whole discussion can be conducted around whether incidents such as a cyber-attack or an attempt to compromise the network is routine vs. an emergency. These days, there are quite a lot of companies that experience such incidents on a daily – if not hourly – basis.
So what is an emergency incident then? Every organization has to draw their own line. How? By conducting a risk assessment audit, and defining what is vital for business continuity and which business procedures are of a lesser significance.
A few examples are a network outage, confidential data leakage, an ecommerce site crash and many other forms of business disruptions. These can be caused by a DDoS attack, a persistent bot, web-based attacks or even a malware that encrypts companies’ workstations or servers (ransomware). What would you do?
One of the parameters to take into account is the possible financial impact of an incident. Once a vital operation is under threat, you should go into a crisis mode.
The Incident – Crisis Management vs. Routine Management
Assuming you have put some thought into which incidents you may expect and estimated the potential cost of suffering and handling each, you are now ready to make a clear distinction between what is crucial and what isn’t. Then you know which incidents should be considered “emergency”. Remember, you can’t go business-as-usual when the business isn’t as usual. Handling a crisis requires a different approach than handling a regular operation.
There are some universal principles of crisis management which can be easily applied to cyber-security as well. Cyber-attacks hurt the machine capital of an organization, but the human capital can still perform and needs to be prepared and directed to overcome the situation.
The Response – Quick Restoration of vital operations until achieving peace time
The response begins by acknowledging that the incident is of an “emergency” type. Here you can get a little support from technology. There are a lot of tools out there available for you to detect and estimate risks, as well as to help you overcome an intrusion or an assault. The problem though is to keep your head above the information flood. How would you know what is important without digging into the logs of every security solution you have? You need to think in advance about how you deal with this complexity. In many countries, the regulators have set a standard for cyber-emergency events, providing you with a structured response plan which you will need to tailor to your organization while detailing resource allocation (normally budget and labor).
I recommend you maintain at least two alternatives – what if Plan A doesn’t restore the service as quick as possible or circumscribe the risk as expected?
For each course of action, you need the right experts to play a well-defined roll.
The Team – Who? When? What?
Maintaining expertise in-house is a constant challenge. Natural employee turnover combined with technology evolution keeps companies in an ongoing gap between the knowledge they have and the knowledge they need.
The implications for cyber security incident responses are numerous.
First, you may want to have a diverse team of experts who not only know how to analyze an attack, but understand the “big picture” of the business impact as well. Team members of a less-technical background can evaluate business considerations or solve operational bottlenecks, complementary skills.
Second, as discussed, the team of security experts should be extremely familiar with the different solutions running in the network, as there can be quite a few.
Third, a well-practiced team with clear guidelines can easily overcome psychological barriers such as anxiety, and by making rational decisions reduce error rate, maintain focus and conduct a structured investigation.
And last but not least, have the executives calling the shots engaged in the practice and familiarized with a variety of scenarios.
Summary – here is why you need to have an Emergency Response Plan:
- Crisis management is different than routine management and requires a different approach and skills
- Improve decision making under uncertainty and anxiety
- Reduce resource consumption during restoration – of labor, capital and time
- Get back to normal operation as quick as possible
- Minimize reputational and revenue losses
Now that we agree, more to come in our next blog – “Guidelines for designing and executing an ER Plan.”