[BreachExchange] Why You Need a Cybersecurity Crisis Management Plan

[Audrey McNeil]

http://www.bankinfosecurity.com/blogs/you-need-cybersecurity-crisis-
management-plan-p-2276

Understanding the difference between cybersecurity crisis management and
security incident response could be critical to your organization's
survival.

A security incident response plan focuses on day-to-day security issues,
such as routine malware infections and distributed denial-of-service
attacks. In contrast, a cybersecurity crisis management plan focuses on
actions and processes that must be undertaken to protect and defend the
reputation of the organization, its products and its services. Crisis
situations could include mass loss of credit card numbers, Social Security
numbers, financial information or protected health information.

So what can CISOs do to augment their security incident response plans with
cybersecurity crisis management components? Here is some guidance based on
my experience in dealing with a breach.

Involve Executive Leadership

In a crisis situation, the CEO and his direct reports are thrust in the
forefront of responding to customers, local authorities, business partners
and the media. They all want to respond quickly and mean well. However, I
have seen them convey contradicting messages or provide too little or too
much information that has complicated matters unnecessarily. Therefore, it
is essential to train them ahead of time. These leaders need to be familiar
with their specific functions and roles during a crisis and need to be able
to follow a playbook.

Create Formal Cybersecurity Crisis Management Plan

Either include the following key elements in your incident response plan or
preferably create a separate document with:

Name of executive stakeholders;
Representation from legal, privacy, compliance and corporate communications;
Delineation of specific roles and responsibilities for each of the
executives;
Threat matrix with severity levels and associated response protocols;
Statements for customers, business partners, media and external agencies;
Pre-crafted communication templates for breach notifications as required by
state privacy laws;
Arrangements to immediately provide identity and credit protection services
to affected individuals.

I have found pre-crafted communication templates to be, perhaps, the single
most useful element. During a crisis, it's really hard to come up with the
right words to communicate with your customers and other interested third
parties. In one specific instance in my past, a single notification to
customers took over a week to finalize because information security,
corporate communications and legal could not agree on the wording

What you say could make or break the organization. So, think through the
various scenarios and come up with generic communication templates that
have been reviewed by your company's corporate communications, compliance
and legal departments.

The creation of the plan is just the first step. The second and more
challenging step is to implement the plan across your company, including
among senior executives.

Conduct Breach Simulations

Lead the executives and the critical leaders in a table top exercise that
simulates a breach scenario. Find a reputable third party to help lead this
effort.

An increasing number of companies are offering this service. The offerings
range widely in content, format and pricing. Find something that works for
you based on your budget and organizational culture. One of the best
simulations that I have been part of was led by one of the big name
consulting companies. They even had fake news videos showing how the media
was reacting to the breach. You may not need to go to this extent, but you
should look for a polished presentation that can hold the attention of your
executives.

Engage a Forensics Company

Once a breach is detected, there is an extreme amount of urgency in
investigating it or mitigating it. Support from forensics experts is
generally required. In that moment of crisis, finding a suitable third
party and putting together a master services agreement or a statement of
work becomes a challenge.

Therefore, it is imperative that a company's information security,
compliance and legal departments jointly spend time in evaluating and
selecting potential security vendors ahead of time.

Involve Your Legal Team

One of the critical areas of focus during the course of a breach should be
on "protecting the privilege." The attorney-client privilege is an
invaluable mechanism to protect any sensitive communications or information
(such as the cause of the breach or the extent of the loss of information)
from being forcibly disclosed by any third parties, including customers,
competitors and law enforcement authorities. Without such protection, an
organization may be vulnerable to civil or criminal lawsuits. In fact, I
have recently seen consulting companies disclose the results of their risk
assessments to government agencies. The lawyers in your company will help
you ensure that appropriate clauses are included in the MSA and the
associated SOWs to keep the attorney-client work confidential.

Be Prepared

It's only a matter of time before your organization will find itself in the
unfortunate situation of suddenly realizing that it's suffered a targeted
breach. Therefore, it's imperative to prepare in advance and be ready to
respond in a manner that ensures your customers as well as your
organization's own interests are adequately protected. That due diligence
can be demonstrated with a formal cybersecurity crisis management plan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161013/c609e989/attachment.html>