When it comes to cybersecurity content, most of it focuses on prevention.
However, the significant rise in frequency and severity of cyberattacks tells us that the likelihood of your business experiencing a cybersecurity event is no longer a matter of “if it will happen,” but “when will it happen?”
Not to sound alarmist, but knowing how to respond after a cyberattack is just as crucial as the never-ending battle to prevent one.
While the technical response is incredibly crucial, that is not the focus of this article. Here, we’re looking at the amount of time it takes for your business to respond to a cyberattack.
Why businesses struggle to respond quickly to cybersecurity attacks
To start, look at the graphic to the right. It represents an important concept in cybersecurity—closing the gap from when you are breached to the containment of that breach.
Dealing with a cybersecurity event effectively is all about compressing the time from the start of the breach to its containment and subsequent notification. Communicating quickly to your internal and external stakeholders that you’ve experienced a cybersecurity event is crucial.
Back in 2017 when Equifax was breached, the company fell under tremendous criticism for the amount of time it took them to go public with the news. In fact, it took over six weeks for Equifax to publicly acknowledge the breach, inspiring lawmakers to suggest passing data breach laws and data security standards. By then, the damage was already done to the Equifax brand.
How to respond to a data breach
Let’s work from the premise that you have experienced a cybersecurity event and that your IT team has taken the necessary steps to defeat it and re-secure your infrastructure. Now what?
Get out in front of the impact, before others make it known. Your reputation and perhaps even the survivability of your business depends on it.
Step 1: Communicate what has happened internally
Hopefully, you already have your internal communication outlined in a disaster recovery plan. Let your team members know that your company experienced a cybersecurity event and the details of what transpired. They need to know what is expected of them, in a case like this. For example, should they continue to work on their computers or revert to paper-based systems?
Once you know what happened, you should only deal in fact, not speculation. Only share what you know to be true. Most importantly, train your teams on what information may be shared and by whom. Only authorized personnel should be allowed to communicate publicly about such an event.
Step 2: Engage your cybersecurity crisis team
Hopefully, you already have a crisis team identified and trained on how to properly respond during a cybersecurity attack when one occurs. If an event like this were to take down your entire infrastructure, creating a clear impact to your publicly facing activities, you need to have a plan in place, in advance, on how you will respond and what your message to the public will be. The last thing you want to do is come up with what to say on the fly.
At a minimum, the team should include the owner or CEO, members of the senior management team, your senior IT personnel and, if your organization is large enough, PR, HR and risk/reputation management personnel.
Identify who will be allowed to speak to the media on behalf of the company. Be sure this is not the first time they have done so. Also, be sure that your customer service organization is prepared and trained on how to respond to customers and vendors, who may be impacted by the event. Provide them with prepared messaging and FAQs, so that they aren’t responding to clients off-the-cuff.
Step 3: Communicate what has happened externally
It’s critically important to know who the stakeholders are before any event takes place. Who will you need to communicate with? Do you have a board that will need to be informed? How about your corporate attorney, insurance broker, banker, and other trusted advisors? Will you engage law enforcement? Many police departments now have personnel that are trained to deal with cybersecurity events. Get to know your local law enforcement resources, including your local FBI field officer and the cyber agents that are assigned to that office. The FBI has a very active cyber program and can be an important resource, depending on the nature and scope of your event.
In summary, be prepared with a plan. Educate, practice, and train your team with your plan before you need it. Update it based on lessons learned and review it annually. You want to project confidence, but not arrogance in the face of a cybersecurity event. Reassure your employees that the business is OK and you’re prepared to maintain operations, even if in a limited capacity at first. You need to assure your customers and business partners of the same. Have manual systems ready and tested.
Finally, have a clear message ready for public consumption. Your reputation and the very survival of your business may depend on how you communicate, internally and externally. Remember that building a culture of cybersecurity is a leadership issue, not an IT issue.