By Dominic Cockram
“Spectacular achievement is always preceded by unspectacular preparation” (RH Schuller) is a great adage in the crisis management arena and applies equally in the cyber readiness world. Our experience in both preparing our clients for cyber response and supporting them during cyber incidents has highlighted some key areas and lessons:
Raise awareness of the cyber basics
Non-technical staff need to have their knowledge and understanding improved of the basic facts of both the cyber world and more specifically data breaches, their impacts/ risks and the reputational challenges.
We see those with significant responsibility paralyzed by a basic lack of knowledge about this cyber domain and therefore they do not know the smart questions to ask, let alone how to assess and measure their response. Staff do not need to become experts but they do need to understand some of the basic issues, facts, realities and challenges they will face.
Know your facts
As we become more attuned to data breaches and how they might affect consumers, the questions we will face from the media will come quicker and from a more informed perspective. They will be very challenging and should be well prepared for ahead of any breach. Understand what data and information you own, how it is protected and what can be done with it if stolen. You should know the impact for your consumers of loss of each aspect of the data you own – what it actually may mean for them in terms of risks to their own world.
Understand your response capacity and capability
Understand exactly how you would communicate with large customer groups quickly, how long it might take in reality and what channels you will use to do it.
Major mail-outs can flood both servers and call centres if not managed well. Check what can be done now so your strategy is based on reality and there are no unpleasant shocks when an incident occurs.
You need to know how you will monitor sentiment across social media, what external support you have for detailed forensic analysis and so the list goes on. There are many areas of capability where you may need to call external suppliers for discrete services – these areas should be identified clearly, the providers identified and ideally contracted or at least outline terms agreed to allow rapid deployment when they are needed urgently but to do so you need NDAs in place and so on.
Knowing what is and is not possible in a crisis is key to some of the major decisions that need to be made and there will not be time on the day to work out what is possible.
Build internal and external relationships
Use cyber workshops, desktop events or simulation exercises to build internal relationships with those you may not normally work with – get to know that key database manager! Equally, get out and meet people you may need to call on – from contacts in the new National Cyber Security Centre (NCSC) to the ICOs office, key acquirer bank staff and the plethora of others on your cyber response stakeholder list.
A warm relationship now makes for a very different conversation when all around you may be in crisis.
Develop plans at appropriate levels
There should be a variety of plans and playbooks against key scenarios, with detailed workflows and guidance. Moving up the business, there will (or should be!) plans at the middle management level (tactical or Silver) and the executive level (strategic or Gold) for crisis management in any form. These should still apply but data breach incidents do bring a unique set of challenges and we recommend additional guidance is provided in this key area to supplement existing plans. Highlighting the unique challenges and risks of a data breach will allow the team to move faster and more assuredly if some of this work is done ahead of time.
Vital to your success in managing a response to a data breach incident is time spent on preparedness – the above lessons should support the development of your cyber capability. “Fail to plan and plan to fail” remains is as true now as it ever was.