There is an old joke about a party of travelers that manage to lose their way. To get to their intended destination they ask a farmer for directions. In a very terse manner, the farmer replies "If I were you, I wouldn't be starting from here!" Now this is a blog about cybersecurity so why this old joke? Well, the answer is very simple, if you are dealing with a major cyber incident there will be no time to stop and ask for directions. The organization and the thinking needs, to be done largely before the event and not during it. The required mindset is more a place for each thing and everything in its place:
- Incident procedures and definitions - check
- Incident response team - check
- Recovery plans - check
- Escalation process - check
- Board support check - check
-Communications plan - check
But once you are in the thick of it there is a rule of three that can be followed and that does make life easier as we all like thinking in threes: gold, silver, bronze; blood, sweat, and tears, and so on. But I digress the rule that you need is this one:
1. Focus
2. Prioritize
3. Communicate
«Poor communication is the fuel of failure» - David Mantock -
Time is of the essence so the first issue is to target your efforts to what is in focus, closely related to this is the priorities that will be needed due to the resource and dependency constraints. Poor communication is the fuel of failure, so lastly and of utmost importance is the communication inside your team and outside your team. Inside your team: when a task has been defined make double sure that who does what and how is clearly understood as these situations are perfect for showing the truth in the saying "more haste less speed". Outside your team: Clear status updates to management and users and other stakeholders need to be succinct and factual. What will be done and by when? What are the blocking points and how can they be overcome?
When it comes to communication you also need someone who is a furious note taker, “the pen is mightier than the sword" and detailed evidence collection will lead to the following benefits:
- Be able to go step by step through what has happened
- Identify previously unknown weaknesses and deficiencies
- Reduce the possibility of a repeat of this incident
- Plan improvements that will speed up resolution of future incidents
Finally, when all is up and running make sure that there is a post-incident review that is read and supported by management. Dealing with adversity is part of life but if we do not learn and improve from these experiences life will be harder than it should be. A winning organization is a learning organization.
Want to learn more? Contact us regarding our Cyber Incident Planning&Response Workshop and our dedicated Breach Protection Service.