Incident response survival guide

Get a copy of the upcoming book "Secure Operations Technology"

incident response survival guideAll organizations are impacted by a security breach at some point. As the joke goes in the security industry, businesses fall into two categories: those that have been breached and those that don’t know they have been breached. Some organizations don’t know they have had a security incident until the FBI informs them.

A breach can have financial impact, regulatory impact or harm an organization’s brand and reputation. In order to minimize the damage, organizations need to be prepared for this eventuality. Here are some steps that will allow organizations to minimize the damage when a security breach occurs.

1. Acknowledge a breach is going to happen

Many people in security leadership roles communicate that they can prevent security breaches from happening. Imagine a general counsel communicating to the executive team that lawsuits can be prevented from happening. This would be a career-limiting move. The important thing is implementing controls so that when security breaches or lawsuits do happen, the damage is minimized.

2. Create an incident response plan

A properly-written incident response plan will be comprehensive and involve senior leadership from across the organization. These roles include:

  • CIO, CSO, CISO
  • Technical specialists with training in Incident Response (IR) and Forensics skills
  • Often, companies may not have sufficient technical resources internally and outside firms may be required
  • Business executive management including the CEO, CFO and COO
  • General Counsel
  • Outside counsel with experience in IR and Forensics matters
  • Media Communications, including perhaps outside Public Relations and media communications firms.

It is important to note that this cross-functional team should be assembled under the auspices of outside counsel. In other words, hire outside counsel first and then have the law firm retain the technical consultants that will do much of the day-to-day IR work. This is done to provide and extend attorney-client privilege as broadly as possible. Without doing so, much of the work that you may want to remain confidential may be subject to discovery and disclosure.

3. Use a commercially accepted incident response framework

The National Institute of Standards and Technology (NIST) has 800-61, a mature incident response framework organizations can adopt. There are others. While there is no need to reinvent the wheel when a solution already exists, these frameworks will need to be adopted to your organization. Doing so requires management commitment. People should know who is doing what, when and how, as well as ways to communicate ahead of time.

4. Define what an incident is

Organizations need to understand what an incident is and how severe it is. Examples of an incident include:

  • Intellectual property theft of materials such as strategic plans, financial data, customer information, employee data, engineering designs and much more
  • Organizations in regulated industries, such as healthcare, also have to comply with industry specific regulations. In healthcare, for example, compromise of personally identifiable information (PII) or personal healthcare information (PHI) must be handled in specific ways.

5. Engage law enforcement

It’s important to establish relationships with local police departments, the FBI and the U.S. Secret Service. They will pay much more attention if there is an existing relationship. Conversely, an organization risks being a low priority if they aren’t a known entity.

6.Protect communications

Organizations are extremely vulnerable during an incident and it is easy to ignore details. The bad guys often monitor traditional communications such as email, phones, cell phones and even text messages. Protected side channel communications are required. Take simple and effective precautions such as encrypting cell-phone conversations and text messages.

7.Perform table-top exercises

Preparation for significant events allows organizations to continue business operations with minimal disruption and minimize damage to their reputation. Rehearse on a regular basis how the organization would respond to hypothetical scenarios such as loss of customer data, financial data or patient information. Table-top exercise participants should include the same cross-functional team of people described in Section2, above. People should know ahead of time who is doing what, when and how as well as ways to communicate.

8. Have a plan for external and internal communications

Perception of an organization will hinge on how they respond to a press inquiry or if information leaks to social media. A timely response should be presented by authorized people. Similarly, have a plan for communicating with employees, and make sure that they know what they are allowed to say and not say to others. If the response is created at the last minute, it will be clear to anyone that hears it. On the other hand, a carefully-prepared message can generate a lot of goodwill.

Being prepared for an incident can be the difference in how an organization is perceived by its employees, business partners and shareholders. By following the recommendations listed above, organizations will be able to control the outcome of the breach instead of the breach controlling their outcome.

Elad Yoran, Executive Chairman of KoolSpan, contributed to this article.