Broker Check
610-265-4012
LOGIN

Cyber Incident Response

January 24, 2024

Claire Meyer, managing editor of Security Management, has a post on how to stay resilient and recover from a cyber incident. With insights from industry experts, the article is at https://www.asisonline.org/security-management-magazine-article/2023/12/cyber-iincident-response-escalation; this is a summary..

  • Deterrence and prevention are worthy goals, but organizations need to spend more time on incident response and recovery preparedness.
  • Security needs to go beyond compliance. Business strategy should determine risk tolerance. Regulatory compliance is a minimum standard.      

Expect incidents to escalate.

  • Not every cyber incident is material, and not every IT issue is a security breach. However, if a key system is offline it needs to be investigated speedily and if necessary, reported up the chain of command.
  • Organizations need criteria for when a technical incident should activate a crisis response. Criteria could be financial, reputational or operational impact.
  • Early signs that an incident could become material should prompt a warning to key leaders. Lower organization levels should be prepared to ask for help instead of trying to solve problems on their own. Create awareness quickly; good news travels fast but bad news has to travel faster.

Crisis communication.

  • Accurate information is a challenge. Usually, the first information is wrong. However, the sooner information is released the better even if it has to be revised later.
  • Set clear expectations with stakeholders inside and outside the organization. Keep them updated.
  • Prepare a stakeholder map establishing who, what and how to communicate.
  • Don't declare recovery too quickly; give investigators time to assess the incident.

Practice scenarios

  • Exercises should fit the organization's model and feel realistic but not commonplace.
  • Throw a "wrench" into the scenario to test responses. Bring in departments not directly connected to cybersecurity. 
  • Exercise participants have to learn how stakeholders value different priorities and processes. Know business drivers and be prepared to switch to backup plans.
  • Appoint an incident commander who can calm tense situations and serve as a referee. 
  • Include dealing with media in exercise.
  • Include recovery planning in exercise with contingency plans.

After action.

  • Review lessons learned and document them.
  • Have a project manager to implement recommendations.
  • Solicit and collect feedback from individuals and groups not involved in the incident or exercise, including social media. Get a variety of viewpoints.
  • Be aware of how the crisis affects individuals in the organization.