Because even the most robust cybersecurity program is going to leave the company vulnerable to some degree, planning and preparing for response and recovery must be a fundamental component of any cybersecurity risk management program – and a central part of the board’s oversight. Tabletop exercises and simulations can serve as an acid test of how prepared the company is for a cyber incident or breach, and provide essential opportunity for exercising the muscles that must respond if a crisis occurs.
What happens if your company goes dark in a cyber attack? Really dark – across dozens of countries around the world. Your data is missing and your computers aren’t working. Even phones connected to your network are out. Moreover, large sections of your crisis planning are suddenly irrelevant – no one anticipated this kind of damage. As board members and management struggle to get their footing amid all the chaos, they may regret, far too late, not insisting on more training through simulated crises that might have made the early hours of this real crisis less terrifying and damaging.
A significant attack will be different from what anyone anticipates, and your plan may not fit exactly, or even closely. In fact, while it is important to have a plan or playbook, it is best to focus on key operating principles and be willing to adjust them when the crisis occurs.
One of the most important things to do is to hold tabletop exercises, with as many people as makes sense, with periodic participation by the board. One participant described a quarterly exercise that involves several hundred people in offices around the world. Senior managers are involved, but so are third parties who will be critical resources if a serious attack occurs, including lawyers, crisis managers and forensics specialists.
In the wake of a serious breach, companies need mechanisms in place to resume normal operations as quickly and smoothly as possible. They must have a recovery plan on the shelf (knowing full well they may need to pivot from the plan), fully understand their legal requirements and have policies pre-established for potential threats such as ransomware. They must be able to immediately coordinate restoration activities with external parties and advisors (e.g., public relations, forensic, legal), who should be prequalified, with terms and conditions already agreed upon, and on retainer. And they should closely monitor market events and other breaches to incorporate lessons learned and adjust existing plans accordingly.
“When a cyber crisis hits,” said one panelist, “you want to have your plans set and your protocols in place, and not be caught like a deer in headlights.” When talking about simulation playbooks, the group noted that there can be unforeseen challenges. For example, when it comes to communicating, many assume telecommunications will be available, or that laptops will be working, but this could be wrong if the company goes dark. They suggested that important numbers of key contacts be saved in multiple places, including hardcopy, and alternative ways of communicating be identified.
Disciplined preparations can go a long way to help a company’s leaders be effective and flexible when a breach or incident happens. Management should review where threats and vulnerabilities exist and the potential impact of each, and then confirm that cybersecurity risk management programs address the most important of these risks. The board should ask management about what sort of processes and programs are in place, what testing is being conducted, what issues have been identified and what changes are necessary.