In part 1 of this series, Jeremy covered building a diversified security portfolio and actively testing gaps. He then continued in part 2 and explained how even the best-prepared defences can fail. Now, Jeremy brings the series to a close with how you can prepare for when incidents eventually happen.
"The best-laid plans of mice and men often go awry" - Robert Burns
Isn't that so true? The technology industry is incredibly complex, and there are a myriad of ways things can go awry. But cybersecurity adds an exponential multiplier to that. You literally have people you have never met and typically have nothing against you (or your business), trying to trip you up.
And why do they do that? Because they are successful at it. If they were never successful, the reward for trying would disappear overnight. And success = money.
I'll repeat what I said in an early blog - I have yet to see a business that can afford every security investment they would like to make, let alone have the time to implement them all effectively to get adequate value.
We are all vulnerable to attacks becoming breaches, so what do we do when that happens? Here are three things to ensure you have in place should the worst eventuate:
A Security Incident Response Plan
"This is the last thing you want to be making up on the spot. While no plan survives contact with the enemy, having no plan at all simply gives way to the enemy.
Your incident response plan needs to answer the hard questions before the pressure hits: Who makes the call to take systems offline? At what point do you notify customers? When do you engage law enforcement? Do you pay a ransom demand, and if so, who authorises that decision? These decisions can't wait until 2 am when your email server is encrypting itself.
A good plan is broad enough to allow for variances and adaptability, but specific enough to ensure you don't fall into common pitfalls when responding to a security incident. Having a plan allows people to be trained and have awareness of how to respond in an incident. The key is in the word response - we need to respond, not react.
A Business Continuity Plan
A good business continuity plan doesn't just focus on technical disaster recovery, but rather on how the business can continue to operate while recovery efforts are underway.
Businesses can often assume their reliance on technology is low, especially in industries where a large portion of the workforce doesn't sit behind a device all day. However, I've seen these businesses go from 'She'll be right, we don't really rely on technology much in our business' to 'We can't invoice our customers, in fact, we can't even look up the contact details for our customers!' in a matter of hours.
Your business continuity plan should identify: What's your minimum viable operation? If you're a logistics company, maybe that's manual dispatch and phone-based tracking. If you're a professional services firm, it might be read-only access to client files and the ability to send emails. If you're in manufacturing, perhaps it's maintaining production while losing access to inventory systems. Know what that looks like before you need it.
If you lose access to, or cannot trust, your normal tools of operation, what will you do? A good business continuity plan will consider this, alongside recovery of technology platforms.
A Communications Plan
Depending on the profile of your company, reputational damage may well be a consideration when a cybersecurity incident occurs. While some of the communications plan may sit within an incident response plan, the communications component deserves separate attention.
Your communications plan needs to cover multiple audiences:
Internal communications: Who needs to know what, and when? Your executive team needs different information from your frontline staff. Controlling the internal narrative prevents rumours and maintains confidence during the response.
Customer communications: When do you notify customers? What do you tell them? The timing matters - notify too early and you're creating panic without facts; too late and you've lost trust. Get legal advice on this, but don't hide behind lawyers. Customers value transparency, even when the news is bad.
Regulatory notifications: The worst time to discover you need to notify the Privacy Commissioner within 72 hours is 60 hours into an incident. Know your obligations under the Privacy Act. If you operate in regulated sectors - health, finance, critical infrastructure - understand your specific reporting requirements.
External stakeholders: Suppliers, partners, insurers - who else needs to be informed, and through what channels?
A communications plan can include things like who is authorised to speak to the media, and what training they require to prepare them for this. Personally, I have had media training multiple times in my career, which has been incredibly valuable. There is a fine line that must be walked with either speaking to the media or making public statements - honesty is a must; however, some information is sensitive and cannot be shared. Trying to shut down legitimate lines of questioning can open up a can of worms. Evasiveness will erode trust and may well become part of a storyline. When put on the spot, you will want to be prepared.
Here's the critical part: these plans are worthless if they sit in a SharePoint folder gathering digital dust. Run tabletop exercises. Pick a scenario - ransomware, data breach, supplier compromise - and walk through your response. You'll find gaps. Better to find them in a conference room than during a live incident. The point is to be as prepared as you can and ensure your preparedness does not solely focus on technology.
