Why is it that when a company becomes aware of a potential data security incident, the team working on it (and others who are made aware that “something” is going on) have an immediate and overwhelming feeling that the company is doomed? And yet, when there’s another kind of high-risk event, such as an ethics investigation, it doesn’t cause the same apocalyptic feelings?
This happens when there’s a lack of preparation, but we can all choose to take actionable steps to turn down the temperature during incident response and help others and ourselves re-frame the issue.
Preparation is essential
Those who have built trusted internal and external relationships, have planned for the tough decisions, and understand what matters most to the company will be able to effectively navigate a cybersecurity incident without it being perceived as an existential crisis.
In our view, businesses can categorize effective preparation into two overarching categories:
1. Team-oriented planning (i.e., relationship building), and
2. Process-oriented planning (i.e., information gathering and developing and testing the company’s capabilities at both the macro and micro levels).
Below, we outline steps companies can take based on this methodology.
1. Team-oriented planning
Build relationships and trust
Cybersecurity professionals in legal and IT security departments have key roles in working through a data security incident, but often fail to build up a trusted relationship in advance. That’s a pity, because when the trust each other and understand and appreciate the roles that the others will play, the response process is much smoother and mitigates risk to the company.
A focused operational tabletop exercise is one way to clarify responsibilities and to work through specific steps each group will be responsible for during an incident. Who will be organizing calls? Who will reach out to a forensic examiner and how would they be retained? Who will contact law enforcement and how is that decision going to be made?
(Once legal and IT security personnel are aligned, it helps to widen the circle to have the same discussions with other functions – such as human resources, public relations, and finance – who may partner with you during an incident.)
During these discussions, legal and IT security personnel can help others understand that there is a plan and can also explain the lifecycle of an incident. By explaining “here’s where we’re starting” and “here’s where we’re heading,” incident response can be demystified, and these predetermined explanations can result in logical steps and discipline during a real incident.
Working through who from your company will be engaged and building trusted relationships with them is only one piece of the puzzle. Companies are best placed to respond to an incident when they have also worked to build outside relationships – with law enforcement, crisis communications firms, forensic examiners, and outside legal counsel.
This also extends to making sure you have built and understand those relationships with your key suppliers, as incidents impacting your suppliers can cause significant disruptions to your company.
Identify the decision makers and the detractors
When an incident is in progress, it is crucial to know who is empowered to make key decisions.
There will be lots of people offering (often conflicting) advice, and some who will criticize but offer no solution. The true decision makers need to know how to filter out that static and know who and what they will rely on to make the decision.
They are also well served to have partnered with legal to know how they will ensure and document that key decisions are made in good faith, based on information as known at that time and with an understanding that incident response often deals with incomplete or imperfect information. Key decisions to think through include:
- Who will decide if the company is taking potentially impacted systems offline?
- Who will decide whether the company will make a public statement to the media or customers?
- Who will give the all-clear and say normal business operations can resume?
Practicing these high-stakes decisions with ever-changing and often limited information is critical. Planning to make them and account for the logistical challenges – for example, those presented to global and decentralized businesses where management may be spread across time zones – can bring calm to the storm.
2. System-oriented planning
Know your business, identify your potential and myriad obligations
What are the key geographies for your company? Who are your key regulators? Many countries and sectoral regulators – such as the Securities and Exchange Commission (SEC) in the US – are narrowing the time to report incidents while simultaneously expanding what constitutes a reportable incident and their post-incident inquiries. To prepare, stay on top of current notification requirements and expectations, and understand your company’s operations and the data being processed and how your company plays its part in the digital economy.
Who is impacted and what is the impact of your operations shutting down? Start planning now for how you will work through these issues so that when an incident occurs, you know the discrete steps you will take to assess risks and to determine to whom you will report an incident. Being able to list these out as you think through them will help keep things in line when a significant incident occurs.
Learn from every test and incident
Familiarize yourself with your company’s incident response plan and figure out if it works before an incident unfolds.
Legal and IT security departments should use the data issues that pop up every day – whether it’s a misdirected email or a lost laptop – as real-life test scenarios. These are opportunities to talk through the technical and operational steps and the knowledge gained from these will resonate in larger-scale incidents. How will you think through whether data was impacted when an email has gone to the wrong person? How will you think through the technical controls you’d expect to have in place on a company laptop? Use these moments to improve your team’s readiness to respond.
Conclusion
The provisions described above are important steps everyone can take now to bring some clarity (and sanity) to real-world incident response processes.
You still may feel like you are choosing between a rock and a hard place when an incident unfolds, but knowing how you will make that choice and trusting your partners in the process may help you not to view the incident is an “end of days” event. With proper planning, we can all start looking at data security incidents as manageable business risks and not existential crises.
Contributing author: Linda Clark, Partner in Morrison Foerster’s Privacy + Data Security Group