If you work at a small or midsize business (SMB), you must presume that your organization will fall victim to a cyber attack. It is imprudent to do otherwise, given that a major study of SMBs last year found that half of all SMBs suffered data breaches involving customer and employee information in the past 12 months.
No doubt your organization has taken steps to detect and deter cybercrimes. But has your organization put in place a detailed, predetermined incident response plan for if/when a serious breach occurs?
The fact is that the responses coming from your organization both during and after an attack are as vital to the SMB as what your IT team does to restore your systems and services. But many organizations today, even big enterprises, lack a formal incident response plan. The potential damage of not having a plan can be as devastating to the organization as the attack itself.
Consider this. Following its discovery of a major breach of 500 million user records in 2014, Yahoo’s response was silence. Not a word. That data was subsequently put up for sale on the dark web. When finally the company had to go public with the breach last September, the damage to its reputation was incalculable.
Execs untrained in crisis management. One reason so many organizations get incident response wrong is that top-level executives who determine this response are usually untrained when it comes to crisis management. It isn’t often they have to make potential game-changing decisions in real time. Instead, their usual method of dealing with a crisis is to gather lots of information from lots of sources; review it all with lots of other people; and eventually respond – in days or weeks or in some cases, not at all.
That is precisely why preparing a cybercrime incident response plan has to be on the agenda for all organizations, regardless of size. Here below are some of the critical elements to consider when building such a plan.
Start by thinking of companies that got incident response right. Those of you old enough to remember will recall the Tylenol scare of 1982 when someone tampered with bottles of the pain reliever, resulting in several deaths. Tylenol’s maker, Johnson & Johnson, acted instantly to remove all Tylenol from store shelves, even though there was no evidence of any manufacturing problems. The company was widely hailed for its instant response, despite potential risks to its reputation.
Put someone in charge, before the fact. When a cybercrime or attack is detected, some predetermined individual needs to be the “point person” in charge of gathering all information on the attack, reporting and updating in plain language to the executive team, and coordinating the overall response. This could be the top IT person or data security chief, depending upon the size of the SMB and its technology staff. This person may or may not be the individual who becomes the public “face” of the company, but this public “face” needs to be determined in advance as part of the incident response plan.
Undertake a risk assessment of your data. There have been major breaches of data that is mostly or largely worthless to cybercriminals, such as data that is carefully encrypted or data of little or no strategic value. Other data, such as customer information and passwords, intellectual property files, or personal health information (PHI) is potentially highly valuable to thieves, and the theft of which can be very damaging to the organization. So when there is a successful breach, a key part of the incident response plan is matching the response to the importance of what has been hacked. This risk assessment needs to be reviewed periodically as new data and files are captured on the SMB’s systems.
Know the laws about breach disclosures. In the 50 U.S. states there are 47 different security breach disclosure laws. If you are located in one state but do business in several others, you must be aware ahead of time of each state’s disclosure laws that determine what you must disclose following discovery of a breach and how soon you need to do so.
Respond quickly and decisively after an attack. Have different parts of your plan for responding to your customers, your suppliers, your lawyers, and even to the greater public and possibly government regulators. Prioritize and properly escalate these different responses. Be certain to disclose new information as you receive it. And of course be ready to show that your SMB has taken steps—beefing up firewalls, network security and password management—to prevent a similar attack in the future.
Having a fully documented incident response plan can be very helpful in the event of litigation following a breach, as such a detailed plan can serve as proof the company was as prepared as it could be for a breach. In addition, insurance underwriters might consider discounts for companies with such a plan for handling an attack. Apart from these considerations, an incident response plan just makes sense given the great likelihood of a successful breach all SMBs face these days.