After spending nearly two decades in insurance technology, the last six as a CIO, I thought I had encountered most challenges my career could throw at me. I survived 9/11 in NYC, a massive blackout the next year, catastrophic weather, and then COVID. But the most remarkable learning experience was a full-scale cyber attack. This experience was my toughest career challenge, and it taught me valuable lessons that went beyond typical table-top exercises. Today, I want to share these insights with you, focusing on areas often overlooked in crisis planning.
Balancing Speedy Recovery with Preservation of Forensic Evidence
During a cyber attack response, there’s a critical balance to maintain. You’ll be pressured to recover operations swiftly, but it’s equally important not to destroy crucial forensic evidence. This evidence is indispensable for several reasons:
- Identifying the Entry Point: Understanding how the attackers breached your defenses is crucial. It helps in patching the vulnerability to prevent future breaches.
- Understanding the Impact: Knowing what data was stolen or encrypted is essential for assessing the attack’s impact.
- Gauging Threat Actor Entrenchment: The evidence can reveal how deeply the attackers have infiltrated your systems, which is critical for a thorough response.
Crafting a Comprehensive Incident Response Plan
Your incident response plan should be robust, detailing not just roles and responsibilities but also decision-making processes and documentation protocols. Why is this important?
- Decision-making Clarity: Clearly defined roles and processes ensure that decisions are made efficiently and effectively during a crisis.
- Documentation for Future Reference: In the wake of a cyber attack, litigation can be a real concern. Ensure that all decisions and actions are well-documented, preferably under the advisement of legal counsel, to safeguard against future legal challenges.
Developing a Strategic Communication Plan
Communication is key during a crisis. A well-defined communication plan, especially for internal stakeholders, is vital.
- Preventing Misinformation: I have a saying: “In the absence of official information, people tend to create their own, and it’s never what right.” These narratives can often be misleading or damaging. Don’t wait too long before communicating.
- Guiding Employee Communication: Employees might inadvertently become sources of information for customers, vendors, and the media. It’s crucial they know what can and cannot be disclosed.
- Informing Stakeholders: Both internal and external stakeholders should receive accurate, timely information to maintain trust and control the narrative.
Securing Essential Retainers
Finally, be proactive in establishing retainers for specialized services:
- Threat Hunting and Response Services: Specialists in cyber threats can offer invaluable assistance during and after an attack.
- Cybersecurity Legal Counsel: Specialized legal advice is crucial in navigating the legal implications of a cyber breach.
- Public Relations Support: Managing the public narrative and maintaining your organization’s reputation is critical during a crisis.
- Threat Actor Negotiations: In cases involving ransom demands or negotiations with threat actors, it’s critical to have experts who can handle such situations. Engaging directly with cyber criminals, transferring cryptocurrency, or accessing dark web sites for decryption instructions is risky and should be managed by experienced professionals in this field.
Facing a full-scale cyber attack was a defining moment in my career. The lessons learned have reshaped how I view cybersecurity and crisis management. I encourage every technology leader to consider these points in their planning. Being prepared is not just about having a plan; it’s about foreseeing and planning for the complexities that arise in real-world scenarios.