Security Organizations and Businesses Must Plan and Prepare for Information Security Incidents and Breaches Together as One Team
Operating with the assumption that you’ve already been hacked makes security incident response planning a priority for the organization. Security professionals know that, but it is not a perspective shared by the business. Business leaders aim to avoid negative news, make business as frictionless as possible and spend as little as possible on security. Telling them that a hack is a matter of “when” not “if” could be a career-endangering conversation.
Yet, for all the resources spent on security ($86.5 billion worldwide in 2017 according to Gartner), we are constantly reminded that users are the weakest link and privileged users pose a significant threat. Security incidents and breaches continue to make headlines, and criminals are constantly evolving their attack methods. Even independent businesses are finding themselves in the line of fire for nation-state attacks. Only the most myopic would think it can’t happen to them.
Getting business leaders to think from the mindset of “already hacked” starts with a conversation that can then lead to a path of increased alignment with security priorities. Assuming that you are already hacked will not only require involvement from your security team, but active participation from business partners as well. Consider these approaches together with your business partners.
Plan and train for the initial incident and breach response
In my years as a U.S. naval officer, I spent more time training to fight fires than I did training to launch missiles. That’s because the most likely threat to a warship at sea is fire – either accidental or caused by battle damage. Every person serving on a naval vessel is trained in damage control tools and procedures, even the officers.
Similarly, security organizations and businesses need to plan and prepare for information security incidents and breaches together as one team.
Breaches will occur at different severity levels, and increases in severity should result in escalating levels of resources needed to respond. For example, an incident of criminal activity that does not affect customers may not require executive participation. But if your business becomes front-page news, the brand management team and the CEO may need to create statements for the press, craft compensation plans for victims and communicate to shareholders.
Like the Pentagon has its “OpPlans” for various scenarios, such as responding to an invasion of South Korea by North Korea, these plans must be written, tested and trained against regularly. Many organizations use a “red team” for penetration testing, which can be completed by an internal team, outsourced to a third party or orchestrated through a bug bounty program. Even your auditors can provide scenarios. As they find vulnerabilities and weaknesses, incorporating their findings into an exercise can add realism to your tests.
These are tasks best performed without the pressure of an incident hanging over your head. And these exercises can give your business a new appreciation for what can happen, helping executives get a better sense of what security teams are up against when making the case for additional resources.
Plan and train for remediation
While good security teams already have procedures in place to remediate a breach, such as patching systems or recovering from backups, there are more than the technical tasks to consider. Legislation, such as GDPR, may require very specific timelines for notifying those whose personally identifiable information has been stolen. Attorneys may have to prepare to defend against lawsuits. Criminal forensics need to be gathered before evidence is destroyed by restoring from a backup, and shared with the appropriate authorities.
The business is also the source for prioritizing service restoration. If you have multiple services impacted, say by ransomware, how do you know which ones to restore first? The business should have business impact analysis (BIA) documents that must guide these decisions. Don’t wait for an incident to understand where these documents are kept and translate them into something usable for the security team.
Perhaps even worse than a lack of incident response planning is a presumption that you’ve arrived from a security perspective. That you are invulnerable to the types of attacks that others are experiencing. Get comfortable – get hacked. The business needs to understand that the threat environment is constantly evolving and no matter how strong the security may be, it’s essential to prepare for the inevitable day when a breach occurs that demands executive attention. When it happens, instead of clashing over perceived priorities, CEOs can walk into the boardroom with a plan and security can mitigate the effects.