The National Convergence Technology Center (CTC) is headquartered at Collin College just north of Dallas. Because Collin College is a member of the North Texas chapter of the Information Systems Security Association, CTC staff is often invited to ISSA events. One recent monthly meeting featured a panel presentation on how to manage cybersecurity incidents from the perspective of a business.
Below are some highlights of that talk.
* The biggest takeaway – repeated several times by all of the panelists – was the importance of business connecting with law enforcement in advance. It’s essential to make law enforcement partnerships before your company experiences a cybersecurity incident. One panelist stated that companies are unwise to assume their in-house pen tests are sufficient. Face the reality of the threats proactively, rather than hoping it won’t happen to your company.
* Companies must be transparent communicating the problem to customers. Do not hide it, do not try to cover it up. The truth will eventually come out.
* The IT department also needs to be transparent with their executives. Cybersecurity incidents often start small and then grow large. An employee clicking on a phishing scam link, for example, can end up opening up the entire company to a ransomware attack. One panelist noted that he wouldn’t want a Chief Security Office who isn’t interested in hearing about all incidents, even “small” ones.
* Law enforcement isn’t interested in pointing fingers when there’s a cybersecurity incident. Law enforcement views the company as the victim.
* Not only must a company develop an Incident Response Plan, but it must also ensure buy-in across all departments by framing cybersecurity in terms of revenue, customer service, and business outcomes. One panelist put it like this: “Don’t nerd it up.” Frame the Incident Response Plan in language that resonates best in each department. Use terms they understand; for accounting, it’s numbers and money and for marketing, it’s brand and image. Creating an Incident Response Plan in advance can also help educate CEOs, who don’t often understand IT basics.
* One panelist noted that just as the mail room clerk needs to always be thinking about the physical security of incoming packages, so too must every employee always be aware of cybersecurity threats. The IT department may feel secure, but the company is always susceptible because of the choices made every day by every employee.
* Local and state authorities are typically not equipped for large scale incidents, and may inadvertently give bad advice because of their lack of training and experience. Local and state authorities will often seek help from federal agencies like the FBI, the Secret Service, or the Department of Homeland Security’s Cybersecurity and Infrastructure and Security Agency. Again, this is why making connections at those agencies in advance is so critical so a company knows who to call when a cybersecurity incident happens.
* There are risks that come with notifying law enforcement of a cybersecurity incident. While they may certainly have information that can help remediate the problem, if the incident is connected larger threats law enforcement may issue subpoenas and confiscate equipment as evidence. They’re addressing the law enforcement threat, but possibly hurting the company’s business. One panelist noted that ”you cannot un-ring that bell.” Once law enforcement is notified, the legal system wheels will begin to turn. Linked to this, be sure that any internal remediation efforts don’t unintentionally harm law enforcement investigation by spoiling necessary evidence.
* With so many companies unable to support a full-time IT cybersecurity department, outsourcing to third party vendors is common. Those companies, however, must make sure that the third-party vendors they hire are employing tests and procedures are forensically sound.