Cyber Incident and Breach Response Planning: Is It an Option Any Longer?
By Jim Holtzclaw, SVP, Marsh Risk Consulting’s Cybersecurity Consulting and Advisory Services Practice
Cyber threats and related breach events are a fact of life for today’s organizations. Almost every business relies on the internet or utilizes connected technologies in some way in their operations or to generate revenue. A well-developed Cyber Incident and Breach Response (CIBR) plan is critical to business resilience and functions as an important risk mitigation tool. While essential to any company’s enterprise cybersecurity program and IT risk management plans, a CIBR plan on its own is not enough.
Participation in detailed tabletop exercises is essential for organizational leaders and response team members to clearly understand their roles and CIBR plan processes.
These exercises should:
• Have a technical component to help validate the technical aspects of the CIBR plan.
• Expose the senior leadership team to the types of events and decisions that they will be required to make in a real world cyber incident or breach event.
Additionally, an organization’s leaders should seek to apply the lessons learned from these exercises to refine and mature the CIBR plan and keep it current.
Ask yourself this question: Is your company ready to respond to a cyber incident or breach event?
"After a decision has been made regarding how the CIBR plan will be developed, the organization needs to develop the CIBR plan strategy, goals, objectives, and governance"
If the answer is no, your company could face significant financial strains in the wake of an attack. According to the Ponemon Institute, in 2017 the global average cost of a data breach was down 10 percent over previous years to $3.62 million, though the average size of a data breach increased by 1.8 percent.
The financial benefits of effective incident response readiness are significant. As discussed in the Online Trust Alliance’s (OTA) 2017 Cyber Incident & Breach Response Guide, effective planning requires anticipating decision points. Evaluating scenarios in advance and running tabletop exercises help organizations align decision-making with their strategic goals and objectives. Not only is there the benefit of improved preparation and potentially lower costs in the event of a real incident, but exercises also help refine and improve a robust incident response plan that can dramatically reduce the operational impact of an incident. Having demonstrable incident response processes, including established internal and partner relationships (formal or informal), also can work to the organization’s advantage by potentially making the firm a more desirable risk for cyber insurers.
Leveraging Best Practices for a CIBR Plan
A good CIBR plan will apply the guidance outlined in NIST Special Publication 800-61, Computer Security Incident Handling Guide. While there are many resources, such as OTA’s 2017 Cyber Incident & Breach Response Guide, the NIST guidance addresses the topic comprehensively and outlines a firm foundation for planning, which should be tailored to the unique needs of the organization.
Many organizations today are embracing the NIST Cybersecurity Framework as a starting point for their enterprise cybersecurity program. Within the NIST Cyber Framework, two of the five defined functions are response and recovery. These two functions relate directly to the organization’s CIBR plan and other crisis and emergency response actions that the organization would leverage in handling a cyber incident or breach event.
The CIBR plan should also be integrated and be cross referenced with other contingency plans, such as the organization’s Crisis Management and Communications Plan, IT Disaster Recovery Plan, Emergency Response Plan, and possibly others. This is not only important for achieving synergies among these plans, but also because a cyber incident or breach event is itself an emergency response event.
Three Paths to CIBR Plan Development
Broadly speaking, once the organization has decided to develop a CIBR Plan, there are three basic paths that it can take:
1. The do it yourself (DIY) method.
The DIY method can be the least costly in theory and is done by researching best practices, evaluating available references, surveying stakeholders, and more. In other words, whatever would be required if the organization was acting on its own. However, unless the team has some experience in CIBR plans, this method can take the longest amount time and could possibly be the most costly if there are false starts.
2. The Subject Matter Expert (SME) method.
The SME method can be the most costly, but will likely take the least amount of time for the organization since such experts have experience doing this type of project.
3. The hybrid method.
The hybrid method provides the benefit of outside experience and time efficiencies along with internal skill-building and cost-saving benefits.
The right path for the organization will be based on the organization’s specific situation and available resources. After a decision has been made regarding how the CIBR plan will be developed, the organization needs to develop the CIBR plan strategy, goals, objectives, and governance. This will reinforce that the CIBR plan is a policy document and has the approval of senior leadership.
Building a CIBR Team
Next, the organization must determine the composition of the CIBR team. The CIBR team members are not necessarily the deeply technical experts, nor are they generally members of the senior executive leadership team. They are the mid-level managers with experience in the areas of IT, IT security, operations, logistics, finance, legal, communications and media relations, and human resource, and with some knowledge of how IT systems are used to directly support the business. They will directly oversee the responses and actions during a cyber incident or breach event.
This team should be able to tap technical experts as needed to address topics such as:
• How can we run the business if we lose a specific business system, application, or database?
• What is the financial impact of the loss of a specific business system, application, or database?
• How can personnel do their jobs without access to a specific business system, application, or database?
• What is the quickest way to bring the impacted business systems, applications, or databases back online, even if only in a limited capability?
• How long will impacted business systems, applications, or databases be unavailable?
• What externally facing business systems or web applications are no longer available to the business? How long will these systems be unavailable?
Once a cyber incident or breach is detected, the primary focus for the IT and IT Security members of the CIBR team is to identify what happened and what devices were impacted (i.e., servers, laptops/desktop workstations, and mobile devices) through computer forensics and investigation. This will enable the CIBR team to document clear causes, develop appropriate responses, and implement any necessary repairs. The team can then develop and approve a recovery and restoration plan that can be quickly refined and actioned. If no internal computer forensics capability exists, then an external resource should be identified and notified so the cyber incident or breach can be handled in a timely manner. The CIBR team will need to identify internal resources that can support the execution of the plan and event-driven responses.
Examples of supporting staff include:
• External experienced cyber counsel.
• Administrative support to help with tracking the CIBR event activities and key decisions for senior leadership.
• Cybersecurity technical and analytical experts.
• IT recovery plan technical experts.
• External vendor contracting/procurement experts to support on-boarding of CIBR external support and/or materials procurement.
• Communications and media relations experts to develop cyber incident/breach event messaging.
Having these staff available for the CIBR team to access and leverage in support of event activities will help to expedite necessary responses.
The Phases of CIBR Plan Development
Developing the CIBR preparedness strategy, identifying key CIBR stakeholders and team members, and outlining team roles, external resources, and response guidelines are all essential elements of Phase I of the CIBR plan development.
Phase II adds the requisite details to the plan: the procedures, processes, CIBR team member roles and responsibilities, event tracking, and key decisions required of senior leadership as related to various types of cyber incidents and breach events. As organizations and teams become more advanced and skilled in handling cyber incidents and events, additional detail can be added to expedite response processes. A set of standard operating procedures will eventually emerge for dealing with specific types of cyber events or groupings of similar cyber events that the CIBR team must respond to.
Phase II also helps establish CIBR team key activity tracking. Various forms and templates are developed during this phase to support event information tracking. For example, detailed contact lists that include any external partners/vendors who will be supporting a cyber incident or breach event should be created at this time.
Additionally, the team needs to identify what information related to a cyber incident or breach event would be of value to leadership and what response actions would require approvals before or when an incident occurs. At the end of Phase II, the CIBR team should execute a cyber incident or breach event “dry run” to ensure that the plan is complete, effective, and meets the needs of the organization.
Phase III culminates in the finalized CIBR plan. A key component of this phase is the execution of a detailed tabletop exercise with the participation of the CIBR team and the senior leadership team to validate the plan. This exercise usually has a technical component to help validate the technical aspects of the CIBR plan and exposes the senior leadership team to the types of decisions that they will face in a real world cyber incident or breach event.
Following the tabletop exercise, a formal After Action Review is conducted with all participants to discuss what happened, what went well, and what requires further improvement. This information is all captured in a Lessons Learned document that is used to refine and complete the CIBR plan for formal distribution.
Once the CIBR plan is completed, a schedule of periodic exercises should be put in place to maintain the CIBR team’s and senior leadership’s proficiency in handling cyber events. Scheduling a series of exercises, such as three in an 18-month period, allows the organization to develop exercises of increasing complexity or difficulty while also increasing its ability to handle cyber incident and breach events.
When your next cyber incident or breach occurs, will you be ready?