Cybersecurity crises are becoming commonplace. With the massive surge in ransomware attacks in the last few years, businesses can’t afford to ignore the increasing possibility of facing one, and should invest money and effort into crisis management.
Some have already been burned and are (hopefully) working on creating incident response and business continuity plans and practicing them right now. Those who haven’t yet been hit should thank their lucky stars and start the same process as soon as possible.
We’ve asked Ron Tosto, CEO and founder of cybersecurity and compliance consulting firm Servadus, for some insight on the topic.
[Answers have been edited for clarity.]
What are some frequent obstacles preventing companies from considering crisis management?
The most common obstacle is the lack of sponsorship from the executive leadership in the organization. If they do not see a reason for crisis management, then it will not be a priority for the company. This establishes company culture as it relates to crisis preparedness.
Schedules are also a very common challenge for organizations. Practice in crisis management steps requires maximum participation by the organization.
Finally, crisis management preparedness has a financial impact. Companies that are watching the bottom dollar may not take money for margin to prepare for crisis.
What or who is the most crucial element/person/team when it comes to crisis management planning and putting the plan in practice?
Within an incident response plan, every role is vital to the success of the response. However, the most imperative role is either the network operation center or security operation center who would be responsible for discovering the incident and alerting the organization.
If the person has an opportunity to identify an incident and misses it, no one else will respond. During the incident, more team members are present and aware of supporting each other. There is an opportunity for every end-user to notice suspicious activity and to report it. Team members must understand the symptoms of an incident and receive encouragement to initiate the plan’s first steps as a part of the culture to protect the company.
Can crisis management planning be completely outsourced to outside experts?
Elements of crisis management can include outside experts; legal consultants, PR firms, and forensic investigators are good resources to have on retainer.
When it comes to crisis management CEOs can use crisis management consultants, but the leader of the company should never lose focus that decisions made during a crisis are the owners of the company with stake in the outcome.
How often should incident response and business continuity plans be revised, and how often should they be practiced?
Organizations with no major change to leadership and their operating model should be reviewing and testing incident response plans annually.
Merging operations after an acquisition, moving to a cloud environment, and restructuring the VPN infrastructure to support remote workers are all good examples of when to generate updates to the business continuity plan.
Every time there is a new business continuity plan there needs to be an incident response exercise. If the person assigned to a major role within the incident response plan changes, then test the plan at least to a minimum level. There must be a hands-on exercise awareness training for all new employees including technical roles and leadership personnel.
Planning for a cybersecurity crisis is important, but so is implementing strategies for mitigating the risk of facing one in the first place. What is important to keep in mind?
How to prepare for ransomware attacks is an often-asked question. From my point of view, the best action is to go through the checklist of security controls that prevent hackers from taking control of your network.
Organizations like Servadus offer a Ransomware Readiness Assessment which helps organizational leadership identify current risks to the corporation. Of course, having up-to-date incident response and business continuity plans are part of that assessment. Outside, the real value comes from remediating weak cybersecurity controls.
Additionally, organizations implement a framework to shore security control implementation and sustainability. Many organizations try to maintain compliance and security controls but are vulnerable to attacks 3 to 6 months after validating security in channels in place.
The long-term strategy is about validating sustainable security controls. The service framework also allows organizations to evaluate threats to the organization and vulnerabilities of the system software in use. This is the fundamental formula for cyber risk: Threats + vulnerabilities = risk. Beyond the cyber security framework strategy, organizations must have the capability to understand vulnerabilities and the threats.
If a business leader believes any of this is too expensive, they usually believe insurance will pay the bill. But they should look at the fine print of their insurance policy; the fact of the matter is that even if you have cyber security insurance, the insurance company will often not cover losses resulting from an attack if an organization does not prepare for a cyber attack.
Some companies try to justify their decision to forego preparation by saying that the cost of a cyber-attack is usually less than the cost of prevention and preparation. The reality is that ransom payouts are now in the millions of dollars for large organizations; there are examples of a $4 million payment for ransom attacks. Even if an organization paid $1 million in preparedness to maintain the business, it is still $3 million ahead of paying bad actors.