Throughout October, Rapid7 has run a series of blog posts designed to help you talk to the C-suite of your organization about security. We've focused on why executives should pay attention, what they specifically need to focus on, some ways to improve organizational security, and how you can turn security into a business strength.
Today is the last day of October, and while we're marking the last day of Cyber Security Awareness month in the US and Europe, many are also celebrating Halloween. So I think it's appropriate we close out this series by facing our fears; today we're talking about what happens after we've been attacked. How do you respond to a crisis?
Why is this important?
The website datalossdb.org tracks reported data loss incidents around the world, currently at a rate of seven events every day. That means the odds are pretty high that at some point your organization will experience some kind of security incident. You can reduce those odds by understanding your risk and mitigating it where possible, but you can never make yourself completely invulnerable.
It's critical to understand this and take appropriate steps now. The way you respond to a crisis can make or break your business, and being prepared is the first step towards continuity and consistency in your business.
How do you prepare?
1) Map the terrain
The first stage is to understand the kind of incidents you could end up dealing with. For example, you could be breached by an attacker; or a bug could be discovered in your products or services that exposes your customers to risk; or a bug could be discovered in a third party service or software that you leverage, again exposing your customers to risk. These are just a few examples, and response to each may require different actions and stakeholders, so it's important to understand what the major scenarios look like and how they would impact your business.
2) Understand the Legal Requirements
There is a great deal of regulation and legislation around the collection and storing of certain types of data. Similarly there are requirements around disclosure should this information be compromised in some way while in your care, and these vary from state to state. You need to know how these impact your business and what will be expected of you in various security scenarios.
3) Agree on a Plan
You need to build a plan for each of these scenarios, identifying the various activities that are required for each and establishing SLAs for delivery. Know the order of certain processes and how various activities create dependencies on each other. For example, what is the process for launching an investigation, at what point should law enforcement be notified, and how does an investigation impact your communication to customers and the community?
4) Determine Roles and Responsibilities
Part of building a plan is assigning roles and responsibilities for core stakeholders. It's important everyone is clear on their role and the processes involved should an incident arise. It doesn't hurt to practice – you don't want the real thing to be the time you have to figure it out if you can avoid it.
5) Detection of Compromise
According to Mandiant, it takes an average of 229 days for organizations to discover they have been compromised. Frequently we hear of cases where organizations hear of their compromise through a third party such as the Secret Service or FBI. The longer it takes you to detect an incident, the worse the likely impact of it will be, so it's worth investing in robust detection and response measures and staffing to cover them.
What Should Your Plan Cover?
Your plan should cover three main areas:
- Incident containment and mitigation
- Incident investigation
- Communication – both externally and internally
For each of these areas of activities, it's important to break down the constituent parts and ask the following questions:
- Who owns the activity?
- Who are the other stakeholders, and what is the communication mechanism for managing the process?
- What is the SLA or timeline expected?
- Where does this fall in the overall process?
- What are the dependencies and threats?
- What are the legal requirements?
Effective Crisis Communications
In the event of a security incident, an organization will often have either a dedicated internal team, and/or seek external expertise for handling the technical aspects of the response, specifically containment and investigation. In many cases though, they will scramble to handle communications through their standard channels and personnel, who likely will not have a security background and will not be familiar with the terrain they find themselves in.
The team will be hustling to respond to a situation that will likely be unclear, with a lack of relevant experience, and frequently in the face of rumor, press interest, and panicking customers. In this environment, it's easy to make a wrong move. We see organizations rush to get a statement out before they know the facts, or at the other end of the spectrum, fail to communicate at all. We see misinformation, confusing advice, avoidances and inconsistencies. This can turn an unfortunate situation into a reputation nightmare, and potentially increase the chance of lawsuits or other negative response.
So what's the right way to do it?
Firstly, it's important you consider INTERNAL and EXTERNAL communications as two separate, but highly co-dependent elements. Below are my “Dos” and “Don'ts” for managing crisis communications:
- Do treat information as need-to-know during initial response. It's tempting for those working on the response to talk about it, and it's tempting for those not working on it to speculate. You need to create policies and communicate them clearly so stakeholders know what is expected of them and that information should be kept confidential.
- Do arm ALL your employees to handle inbound enquiries. The entire company should know who the approved spokespeople are (and you should have just one or two spokespeople to create greater consistency of message) and how they should handle inbound enquiries. There must be a clear escalation path.
- Do create an FAQ so employees can respond to customer and partner enquiries with consistent messaging. Even if you don't want to give any information out, an FAQ can help employees anticipate questions and respond with grace and confidence, as well as providing consistency of message across the company.
- Do coordinate timing of internal and external communications:
- Once you communicate to the company as a whole, the news will leak out, so you need to have an external statement ready to go out at the same time.
- If the story has already appeared on social or traditional media, your employees will likely already be fielding questions and speculation, so again, you need your internal communications to coordinate with an external response.
- Communicating publicly before communicating with the internal team negatively impacts employee morale and create confusion and speculation.
- Do be responsive. Your customers will be in the dark and worried. Do what you can to help them understand what's really happening and what they need to do to protect themselves. Communicate what you can as soon as you can, but don't rush to do it at the sacrifice of clear, helpful communications.
- Do get your story straight. Be clear on who in your team owns message development, approvals, and delivery in advance. You will have questions coming at you from all angles, and the media may well get involved, so take time to agree a clear message and try to anticipate various lines of enquiry so you are prepared with relevant, crisp responses.
- Do keep it simple. Focus on sharing information that will help protect your customers. Avoid jargon and unnecessary details that just create more confusion. If customers need to take action, provide simple, actionable guidance. If they don't, state that directly.
- Do live it, don't just say it. If there is an action you can take to protect your customers or help them protect themselves, do it and explain what you have done and why. Make it as easy for them as possible.
- Do be transparent. It's very natural to be defensive in this situation and take an evasive approach. This doesn't help your customers and it will likely bring more scrutiny your way.
- Don't over-share. This is the other extreme of the point above. It's important to be clear and to the point with your customers – tell them the information that is most meaningful for them. Do not share unnecessary or confusing information. And do NOT feed speculation. If you have an investigation underway, state that and share findings when you can. Do not provide theories before they are verified as fact.
- Don't let the media set your communications strategy. Once the media starts to get interested in the story, you feel the pressure is really on. Do not allow this to trip you up. Communicate clearly that you are investigating and will issue a statement as soon as you have something to share. Having your message clearly stated in an internal FAQ will help you stay on point and avoid unnecessary confusion.
If you have any questions, or would like to share additional tips for navigating the pitfalls of crisis response, please do share them in the comments below.