Before the Breach: Get Serious About Cyber Resilience Sponsored
Authors: Elizabeth (Beth) Burgin Waller, Principal and Chair, Woods Rogers’ Cybersecurity Practice John Pilch, Cybersecurity/Privacy Analyst, Woods Rogers
Even as the world slowed in 2020, threat actors picked up their pace and used work-from-home infrastructure to spread malicious attacks. These bad actors also exploited trusted software vendors from Solar Winds to Microsoft, pushing new vulnerabilities across tens of thousands of corporations, governments, and organizations large and small. Vulnerabilities led to incidents and incidents turned into breaches, causing headaches across a spectrum of industries.
The Woods Rogers Cybersecurity & Data Privacy Group is often asked how to respond to a cyber breach and “what can our company do in advance?” Here are four tips.
- Design a true incident response plan that delves into real details of what occurs after a cyber catastrophe.
Gone are the days of simply dusting off an incident response plan and crossing your fingers that all will be well. An incident response plan cannot simply be a phone tree. Use the quiet before an incident to develop a true disaster plan.
If your organization lost its IT infrastructure due to a cyber incident, what would you bring back online first? What department? What manufacturing plant? What product line? Which operating room goes first? What components of your critical infrastructure must be restarted?
These are the questions only your organization can answer. Answering them outside the stress of an incident is the only way to think through all the specific issues.
- Dig into the preparations made by the IT team.
There are tasks you should begin well before a breach occurs. Ask your IT team to recommend other preparations, as each IT environment has its own characteristics.
- Confirm your team can provide an accurate, up-to-date network map and inventory of IT assets: both hardware and software.
- Turn on logs such as firewall logs and syslogs, collect them in a centralized, off-line storage location, and maintain them as long as you can (at least 30 days).
- Limit all users to one user ID/account, except for certain IT users who need a separate account with elevated access to perform specific functions.
- Ensure all service and system accounts have an owner who can explain what the account does.
- Require strong passwords and multifactor authentication.
- Research cyber insurance.
As the insurance and reinsurance market becomes more sophisticated in the realm of cybersecurity coverage, the windows for coverage continue to close. Now is the time to begin looking at these issues.
- Do you even have cyber insurance?
- If your organization is self-insured, have you designed a captive insurance pool that is ready to withstand a cyber incident?
- What are the types of coverage available to your organization?
- Has a legal team reviewed the coverage for holes or gaps?
Finally, cyber insurance may not cover all the expenses you will likely incur in a cyber event. How are you mitigating that risk?
- Prepare for the fight of your organization’s life.
With many cyber insurance policies, you do not get to choose who comes in to defend you or secure your organization after a cyber event occurs. You can often negotiate to have your legal vendor or cyber forensics vendor of choice put into the mix with your policy, but you have to do that in advance―not during a cyber incident.
If your organization is about to be the next news headline because of a major cyber event, do you want the technical and legal experts standing next to you to be strangers or trusted partners? Make relationships now with trusted vendors and develop those relationships in advance.
Finally, get creative with how you plan for an event. For example, attorneys in the Woods Rogers Cybersecurity & Data Privacy Group are available on demand when a cyber incident occurs through our cyber incident retainer program. Woods Rogers also offers an extensive tabletop exercise program where your organization can practice its reflexes on hypothetical cyber incidents.
It’s no longer a question of if an organization will be impacted by a cyber incident, but when. The time to plan is now.