With cybercrime forecast to increase exponentially in coming years, businesses need to adopt the mindset of ‘when and not if’ on cyber-attacks. Small to medium-sized businesses are seeing more frequent, targeted and complex attacks, yet only 14% are prepared to defend themselves.
Cyber experts claim you have one critical hour after discovery of a breach, which will vastly impact damage. Given that damage can have an impact on reputation, revenue, fines, client relationships, and even the mental health of employees, that plan is crucial. So, what does your company need to do to be prepared for that first hour?
1. Incident management plan
The success of the first hour will come down to the incident response/management plan you have in place. Pulling one together on the fly after an attack will be too late as you’ll immediately be on the back foot. An incident management plan should include:
- Key contacts for who needs to know what when, including the escalation criteria
- A flowchart for the processes to follow dependent on type of breach, data affected etc
- Guidance on any legal or regulatory requirements
Having this documented will be a very welcome tool to turn to and will form a crucial part of your company’s business continuity plan. It also enables you to practice your incident response so it is fine-tuned and ready to go and can also underpin training. As that first hour of attack is so crucial, ensuring you’re primed is important. Being proactive rather than reactive will drive this, which is why at ECI we recommend businesses do…
2. Roleplay and scenario planning
The ultimate responsibility in the event of a cyber breach falls on the Board. Are they ready? Doing tabletop experiences can make sure they are, simulating a breach and practising the responses. It means that the plan you’ve established can be tested and feels familiar if it’s needed.
In a breach, the Board will need to make hard decisions, for example on revenue vs reputation. It is difficult to make those decisions under stress. Without practice, the likelihood of making the wrong decision is high, which can have catastrophic consequences on the business.
3. Technical team prep
Unsurprisingly your technical team are key early on in an attack. A few key questions you’ll want to know from them:
- Can they isolate systems to stop the breach spreading?
- Are they able to monitor and restore the data?
- Do they have a critical asset register in place?
Knowing this will have a big impact on the actions you are able and willing to take. An understanding of personnel is key. What happens if the CTO or CISO is on holiday? Do they have a ransomware/incident response specialist on speed-dial that they can lean on for support and threat intelligence? And when do you call your insurance provider? They can often help triage the problem for you, working together with the internal IT team.
4. Good comms processes and governance
Once a breach is contained, the next immediate question is who needs to know. The answer will always depend on the breach itself, but a good understanding of who might need to know and how they will be informed is best prepared ahead of time. Are you able to easily tell customers and suppliers, and what might that look like? How and what do you tell your staff? Do you need to put out a statement? If there is a chance you might, it can be beneficial to understand who would be used in case of reputational risk, whether that’s an existing PR agency, someone you have to hand in case of crisis, or even whether you can utilise your investor’s agency. You can even set up a boilerplate template to have to hand if needed. Lastly, having a specialist legal/cyber counsel in place may be helpful, or more importantly, if you think it might be, it’s best to find them ahead of time.
5. Lessons learnt
Well done, you’ve survived the first hour of a cyber breach! Now what? If you are hit with a cyber-attack, there will be great apprehension that it could happen again. That means you are in a great place to create the right feedback loop to try and ensure it doesn’t. And, if it does, you should now be much better prepared to handle it.
