The best technology in the world can’t prevent or solve all of today’s business challenges. As trusted IT advisers, VARs and MSPs must always take into account the human element within each and every fire drill they work to avoid or resolve. No matter what type of crisis a customer may face, be it a major cybersecurity incident or downtime caused by a weather event, it’s important to pay as much attention to the nontechnical aspects as to the technology.
For instance, a business that suffers a security breach has to put people in charge of different facets of the response, from notification to investigation to remediation. The same goes when activating a disaster-recovery plan. MSPs, and all channel partners, should make it part of their charters to help clients with crisis-response readiness. This means preparing them for a situation we and they hope will never happen — but they’ll be glad they were ready if it does.
A recent IBM/Ponemon IR survey shows much room – and impetus – for improvement: Seventy-seven percent of respondents admit they don't have a formal cybersecurity incident-response plan applied consistently across their organizations. Yet the cost of a data breach was nearly $1 million lower on average when organizations were able to contain the breach in less than 30 days.
There are three main phases to readiness:
1. Pre-Incident Planning: When discussing crisis response, stress to clients that they should approach planning not as if a disaster could happen but as if it will. This creates the right mindset for springing into action when things go haywire. A crisis response procedure – be it an incident response plan (IRP), business continuity plan or both – must lay out all the steps involved in responding to an unexpected event. For instance, who’s in charge of restoring data from backups in case of ransomware, and in what priority? If a cloud service or WAN links are down, what sequence of steps must you follow to get them back online? The plan should specify exactly who does what and when. Include contact information for all service providers and suppliers.
An internal communication strategy is also needed. If employees can't get into the office, what number do they call, and who will guide them as they activate the response plan? What is the chain of command?
Training is another key component of crisis planning. Employees won’t know what’s expected of them in an emergency if they haven’t been drilled on it. Sending around a document in an email isn't nearly enough. Any procedure that depends on employees reacting properly must be tested through training and drills to ensure everyone understands their roles in a crisis. There should also be contingencies for cases in which key employees are prevented from working.
2. Model Incident Response In Real-World Mode: Should a crisis occur, a company that has prepared for the nontechnical aspects of response should be able to activate its plan without blinking an eye. The problem is, customers often leave gaping holes in their strategies. We see this again and again with major security breaches, when companies either take too long to disclose a breach or botch the disclosure because they weren’t ready. For instance, the Equifax security breach caused a serious backlash as consumers complained about what they viewed as a tardy and inadequate response.
Bad PR and other collateral damage is avoidable with proper planning and assignment of duties. In a security breach, the security team or the service provider must jump into action to isolate a piece of malware, remove infected machines from the network, assess the amount of damage, initiate the forensics process and start remediation. Depending on the type of breach, the laws currently in effect (hey there, GDPR) and the business involved, there are legal requirements to address. These vary by country and state, so it’s important that the legal team always stay current on breach disclosure requirements, penalties for negligence, and so forth.
On the PR front, a company needs to make a public statement as soon as reasonably possible to address the known extent of the damage and provide assurances that it’s taking the necessary steps to respond and minimize harm to its clients. The statement should be relayed to customers, partners and any other relevant parties. This part of the response is absolutely critical: People typically are willing to forgive a company for an incident, even if self-inflected, but they’re much less magnanimous if they perceive the response as being botched or handled dishonestly.
As they say, it's not the crime, it's the cover-up.
3. Always Improve: Having a crisis-response plan is a necessity in today’s business world. But an IR plan isn’t something you come up with and set aside to dust off later as needed. It should be reviewed frequently to remind employees of their roles and ensure continuously improved relevance. It's critical to test the plan often. The best way to do that is to invoke the plan for important but noncritical events. Take the recent Meltdown and Spectre chip vulnerabilities as an example. Invoking the plan in a case like this allows you to evaluate and do nothing, or decide to apply a patch. If you help a customer invoke its plan regularly, they are gaining valuable practice for those major events that can have a significant impact, while you gain insights into the business that can help you serve them better. As we all know, practice is essential in our line of work.
Tim Brown, VP of security for SolarWinds MSP, has more than 20 years of experience developing and implementing security technology. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the U.S. government on security initiatives, and holds 18 patents on security-related topics.