Corporate Cyber Incident Response Plan – Do You Even Have One?
by Brian Berger, EVP of Commercial Cybersecurity
I was messaging with a very good friend and colleague this week and we started chatting about incident response plans. We noted that most people have a plan in place at home; he raised examples around personal security elements such as home alarms, dogs, door locks and cameras. The comment that resonated with me most was, you know what to do when you come home and your home has been burglarized. Call the police, insurance company, etc. He went on to pose the question, what about when your company is electronically burglarized? For most organizations, that question is met with silence.
While burglary in the workplace takes on many forms, we will focus on burglary in the form of cyberattacks. The attacker is “stealing” information from your company for monetary purposes. Yes, the cyberattack is intended to take something from you: data, money or both. Cyberattackers work systematically and operationally efficiently to pick either high-value targets or high-probability targets to extort what they are targeting—data, intellectual property, personal identifiable information or cash extortion from a ransomware event. It’s a business and the value to the attacker is what they take for future gains or currency to potentially give you back what they have access to or control of. The results of this are highly distracting, expensive and potentially severely impactful to the business.
Circling back to the concept of corporate cyber incident response, what is your answer? Is the first step to call the authorities and FBI? Is it to pay the ransom? Is it time to deploy your Disaster Recovery (DR) policy? Do you even have a DR plan? Have you identified your critical data?
What exactly is the FBI’s role in cyber? The FBI’s role is to hunt down the “bad guys” and prosecute them, plain and simple. Their role is not to recover your assets, cash or data. Should you call the FBI if you are burglarized (cyberattacked)? Absolutely! We want to shut down as many cyber criminals as possible. Should you pay the ransom? Well, that depends—do you have a data recovery plan implemented that remains unscathed by the encryption tactics used by the attacker? If yes, why would you pay? Sometimes organizations need to make a time vs. money decision, as the time to recover may exceed the threshold a company can accept for their business. Law enforcement suggest not paying the ransom, but your business objectives need to drive your decision.
Many organizations talk about the topic of incident response, but very few have a realistic plan. Some suggestions that can help include: building a plan that includes recovery steps, using realistic scenarios and identifying leaders within your company who will drive those decisions. Have a true plan of action that is executable. Do a few tests of the plan “dry run” a few scenarios. Be prepared, be ready, be diligent—the odds prove that this will happen to your company at some point. The small and medium business market is the largest potential target, while also the least prepared. Start today!