Regardless of how it happens, when your customers can’t access your service, you can’t take payments, or you can’t pay your suppliers, you can’t do business. Full stop.
To many executives, such disruptions caused by hacks or breaches are considered “security incidents,” while others — like those caused by misconfigurations or software crashes — are labeled “network outages.”
The distinction in labeling doesn’t matter all that much. What does matter is that your organization uses one set of procedures, one internal discipline and methodology, to handle all your incidents. Effectively and efficiently handling incidents with the same protocols and expectations will save you money, and make the money you spend go farther.
The financial advantages to being prepared include:
- reduction in negative impact on customer trust
- maintenance of your brand’s reputation
- lower likelihood and cost of legal fees and regulatory fines.
Incidents Will Happen
Even with a robust information technology and information security framework in place, some cyber security incidents will still happen because you’re part of a complex technical supply chain over which you have limited control. Preparing for incidents reduces their frequency and severity.
What is Sufficient Preparedness?
Not all preparedness strategies are the same, and while some can prepare you for specialized tasks such as fail safe procedures or crisis communications, the most effective strategies recognize that security incidents are not just an IT issue, they are business issues that require a multidisciplinary, cross-functional approach.
This means training starts as soon as possible, is formal, documented, regular, and iterative. At this level of preparedness, IT and engineering teams– along with business executives– are expected to be proficient in incident recognition, declaration, handling, and clean-up to prevent significant business disruption and ballooning costs. Regularly-scheduled (at least monthly) simulations and tabletop exercises involving engineering, business, and operations units help teams develop the relationships and cognitive readiness to work quickly and accurately under pressure.
At Target, after a massive 2013 breach of 40 million credit and debit records and 70 million customer records led to significant business disruption and huge clean-up and settlement costs of $292 million (they received $90 million from insurers), the company changed tack to bring cyber security realities to everyday business, as they describe in this blogpost:
“…they regularly host “war game” simulations that mimic real-life cyber threats to help leaders and teammates practice their skills under pressure…
“Running these simulations is an important way to make sure everyone understands their roles and how to work together.”
The fact that company business and team leaders regularly triage and practice making decisions together through simulated cyber security incidents is a significant contributor to Target’s reduced frequency and severity of cyber security incidents.
Effective Preparedness is Ongoing
A program of continuous improvement in how you respond to, recover from, and learn from incidents reduces the financial and reputational impact, frequency, severity of cyber security incidents This simple imperative can also guide your company to better operational excellence beyond cyber security incidents.
To succeed, it means re-defining after re-examination the role and reporting chain of your CISO, and providing the C-Suite and board with a deeper understanding of your operational platforms and fabrics, and their dependencies.
Prepare your Technology, Processes, and People
It’s best practice to consider how each critical business function affects and is affected by a cyber security incident response and mapping out an improvement path.
In addition to all of this, managing expectations, staying honest, and showing integrity in incidents is key to maintaining customer trust. Effectively doing this as a natural demonstration of your corporate values, legal guidelines, and communications plans doesn’t just happen. You need to plan for it, and drill on it, over and over.
Executive Leadership Preparation
The C-Suite and the Board of Directors need the answers to some basic, plain-language questions to understand their current capabilities. While every organization is unique, here is a suggested list of high-level themes that can serve as starting points:
- How do you know if you’re experiencing an incident?
- How do you classify them and why does this matter for your business?
- What do your plans specify about collaboration and cross-functional communication during various stages of an incident?
- How is business impact measured and articulated in your organization, and by/to whom?
- What is the process for making decisions during an incident? Who will be involved and who makes the final decision?
- Who is responsible for executing those decisions , and how proficient are they in these roles?
- How do you know when the incident has been handled and you can reallocate resources and team focus to other things?
Securing Compound Interest for Your Investment
What formal procedures do you have in place to document all of the above, every incident, and extract knowledge so that you iteratively improve your response every time?
This question speaks to an important team to maintain: your internal incident handling team. This is a small cross-functional group of people specifically tasked and incentivized to continuously improve incident-response-related performance, creating and maintaining the metrics that help you understand how well your current preparedness efforts reduce the frequency and severity of subsequent incidents.
The sooner you start preparing, and the more you practice, the better you’ll be not just for the next incident, but all incidents moving forward. It’s an investment with compound interest.
We Can Help
Evertas Professional Services can help with many of the activities described in this post. If you’d like to learn how, please use the contact form at the top and bottom of this page.