By now, if you haven’t heard “it’s not IF you get breached, but WHEN”, it’s likely because your idea of technology is the gramophone. For those living in the digital world, we know being hacked is a daily threat and that, unfortunately, at some point, we are likely to become the victims.
For a business, that worry is on our minds constantly and, while we can’t do away with reality, we can work to lessen the stress it puts on us and our companies. It’s time for worst-case scenario planning.
Today’s Focus: Building a Response Plan
Okay, you’ve done your risk assessment and you’ve started security awareness training so your employees can better hold off the attackers. Now, it’s time to put together a plan, just in case your soldiers aren’t successful in keeping all the bad guys out.
Gather Your Troops
When building an Incident Response Plan (let’s call it “The Plan” so it sounds as important as it is), remember it’s not just the loveable geeks in IT you’re going to need as part of your response team. If breached, those suspender-wearing superheroes are hugely important, of course, but you’ll also have non-tech damage control and basic logistics to handle; you’re going to need some others in the trenches. Call in legal, marketing, the executive team … anyone who is going to have a role to play in your response plan, right down to that Hulk-lookalike in security who is going to be in charge of manually admitting (or not) people to your building if key cards become compromised. Then assign each person an appropriate role.
Also, when doling out assignments, don’t forget Betty. Betty, that sweet grandma who has been with you forever knows everything, right down to how to fix the printer with nothing but a paper clip and Q-Tip. If anyone is going to know how to set up shop quickly and rein in your panicked team, it’s Betty.
But that doesn’t mean that Betty should be the point person, or even that she has to be involved in every aspect of developing The Plan. The Plan should have a designated leader (with at least one understudy) to serve as General. This leader needs to have the authority to make decisions on the spot (including those impacting finances) the ability to course-correct if the ship drifts off-course and the presence to command all the players with a cool, unbiased head.
The Plan Prologue
As with any plan, it’s best to have The Plan fleshed out before disaster strikes. After all, how will you know if The Plan needs to be implemented if you don’t walk the perimeter and assess the situation on a regular basis? What does that mean? It means to include your detection procedures as part of The Plan’s development.
Most of us think that if we get hacked, we’ll know right away, but that’s often not the case. Many times hackers are sitting quietly on company networks, gathering data and just watching, often for weeks or even months before making a move. Make sure you identify the proactive steps, such as regularly scanning 
endpoints, that your IT team is going to be taking to detect incidents to ensure you’re able to respond swiftly.
The Meat of The Plan
Obviously, the guts of The Plan are the processes, procedures, and steps your response team, and the company as a whole will take in the event of a breach. This part of The Plan is going to be in-depth, likely complex and with numerous facets, many of which will have to occur simultaneously in order to guarantee the survival of the business.
As you work through The Plan and its many components, review your risk assessment and daily operations. Yes, The Plan should include how you’ll lock things down as quickly as possible in order to mitigate your exposure, but it also needs to detail out how you’ll keep operating. Those IT people will be needed to protect your data and get you back online, but they’ll need some logistical help to make that a reality. A few things to consider:
- How will you contact your key response team players in the event of a suspected breach?
- Where will you set up shop? At your home base? A secondary site? From your employees’ kitchen tables?
- Will you need equipment brought in? Should you own backup equipment? Rent it? How will you make sure it’s available when you need it?
- How will you be able to access (uncompromised) data?
- Who will be needed and where to get things up and running? In what timeframe?
- How will you continue to process payroll (cause, let’s face it, an unpaid Betty is an absent Betty)?
These are only a few considerations. Put end to end, your list of questions that need to be addressed as part of The Plan is going to be longer than the line at Chick-fil-A on a Saturday afternoon.
This part of The Plan is also going to take truly dedicated time and resources, including potentially hiring outside help. Outsiders don’t generally have a personal interest in your business, which allows them to look at things more clinically and ask the tough questions those employed by your business might shy away from, which in turn helps ensure The Plan will ultimately be feasible, practical, and efficient.
Send The Plan to the Presses
Once The Plan is complete, print it. Yep, go old school on it. If your entire network is compromised, it doesn’t matter how complex your PDF indexing was, you’re going to need a hard copy. Just don’t leave it sitting on the breakroom table.
You should also store The Plan electronically, of course; just not where it’s going to fall into the hands of bad guys if your systems are hacked.
Practice, Practice, Practice.
Okay, The Plan is done. It’s indexed, cross-referenced, linked, and bound in beautiful vegan leather. Now it’s time to put it to the test.
The only way The Plan is going to be successfully pulled off in a crisis is if your incident response team has tried it out. That response team needs to be a well-oiled machine, which requires practice. Test The Plan by staging incidents, from little to catastrophic.
Keep The Plan Current
As you practice, you’ll find areas that need tweaking. Make adjustments as you go. Even once you’re satisfied that your team has the reflexes of tigers, continue to review The Plan on an ongoing basis. A prepared company is much more likely to survive a cybersecurity breach than one that crosses its fingers and hopes. Bad actors change, techniques change, technology changes – make sure your Plan changes with them.
