When a data breach hits an organization, everyone is under pressure to react. There is little to no time to think or plan. That’s why having a solid, approved plan and regular drills to practice are critical to an effective response.
These cyber response drills are arguably as essential as fire drills: As businesses become increasingly connected through technology, their risk for cyber breaches eclipses the risk of other cost-crippling events like natural disasters and fires. What’s more, the personal risk increases for executives and leaders who are ultimately being held responsible for protecting their organization’s data. (Remember Equifax and Uber?)
In our consulting work with clients, we are often brought into sticky situations that could have been prevented, or at least far better managed, if the organization was built securely and had regularly conducted cyber breach simulations. Here are the top mistakes we see.
Mistake 1: You don’t have a playbook.
First and foremost, you need to create a cyber response playbook. This playbook should detail who is responsible for what in the event of a breach, including a timeline of events. This includes corporate counsel, human resources, IT, public relations, and your customer-facing departments such as account directors or a call center. Keep in mind, nearly everyone in your organization will play a role during a response. Also, ensure this playbook covers the most realistic scenarios possible. This can be accomplished by referencing your organization’s risk profile. (For example, are you more susceptible to ransomware, an insider threat, or a rogue employee?)
Mistake 2: You have a playbook, but haven’t practiced it.
We have been brought into organizations that have a playbook, but didn’t practice it before an incident occurred. This is like having a fire escape plan, but reading it for the first time as the flames are engulfing your office. Schedule the drills in advance, and make them mandatory. You can practice at the cadence that makes sense for your organization, but we recommend at least twice a year.
Mistake 3: The right people aren’t at your cyber drill.
If you don’t have your CEO in the room for the drill, that’s where all of your best-laid plans can change. Cyber drills are not just for middle managers and implementers; executives must take part and practice as if a real, impactful cyber breach was just detected. Also, this is not just an internal event: You also need to involve the appropriate third parties, whether that is a managed services partner, your consulting partner, application vendors, public relations firms, and more. Anyone who would need to be aware and involved in a real incident should be involved in the drill, period.
Mistake 4: IT is solely responsible for security.
Security is not an IT issue – it’s a business issue, and everyone at the company is responsible for it. When a cyber breach occurs, everyone turns to IT: “What do we do?!” While IT can and should be part of the solution in many cases, they cannot shoulder security for an entire organization; it never works. Cybersecurity needs to be engrained into your company culture through required trainings and processes, and the business sand IT sides need to work together on strategy and implementation. If you go through a response drill and engage team members from both sides, you will very quickly understand why the two need to be working together before an incident occurs.
Mistake 5: You aren’t learning from your cyber response drills.
Every time you go through a cyber drill, do a post-mortem with the involved parties. What are the lessons you learned? What are the challenges or gaps you faced? How can you improve your playbook and integrate lessons learned into your playbook? One of the biggest mistakes is relying on systems that may be up-and-running during a drill, but not during a breach. If your company’s e-mail system is down, you won’t be able to rely on that to communicate to employees. Think about these scenarios ahead of time and have a Plan B, and even a Plan C.
Sean Curran is a senior director of cybersecurity at West Monroe Partners, a business and technology consulting firm, where he leads the firm’s cybersecurity practice. He can be reached at firstname.lastname@example.org.
Wayne Lee is chief cybersecurity architect at West Monroe, where he works with clients to develop proactive cyber security strategies. He can be reached here.