Andrew Cook is the incident response and hunt capability lead for Delta Risk, and manages the company’s ActiveResponse services. He explains the important role a data breach coach can take in guiding response teams through a cyber security incident.
Imagine this nightmare scenario: it’s late in the work day, and you’re just about ready to pack up and go home. Your phone rings and you answer it with a sigh, hoping this won’t take long. It’s the FBI. Gigabytes of your sensitive and proprietary information have been posted online, including internal emails and employee records. As you digest what Agent Smith is telling you, your inbox is flooded with messages from security bloggers and other media; concerned partners, employees, and customers; and a note from someone threatening to release even more data unless you pay up.
Situations like this may sound extreme, but they’re certainly not unrealistic or uncommon. Just ask employees at Sony about their experience in 2014. While many organizations are unlikely to see such a targeted and debilitating attack as Sony did, most are poorly equipped to handle even a modest variation of this attack.
When the alarm goes off and an incident occurs, what will you do? You may have an in-house IT team, but are they prepared to handle the legal, regulatory, operational, and human resources nightmare of a bona-fide crisis? You may have an incident response plan, but when was it last updated? How confident are you that it will actually work? Does anyone even know where it is?
Here are five ways a breach coach can help deliver a swift and successful incident response approach.
1. Leadership
Sound leadership during a crisis keeps productivity intact. Breach coaches support your leadership by giving them the information and confidence they need to make informed decisions. Rather than feeling overwhelmed or out-gunned, a leader paired with an experienced breach coach will feel empowered and in control. A breach coach should also serve as an informal leader to your teams. Your teams will appreciate having someone who can share experiences, guide them in the right direction, and ensure rational decisions are being made.
2. Communication and Coordination
The term “fog of war” refers to the uncertainty and confusion in a crisis. While it may not take place on a battlefield, coordinating a response to an incident in a corporate environment is complicated, and there are many moving parts. Internally, you need to pass information through many channels, such as IT, security, legal, finance, HR, customer service, and others. You also need to consider how to communicate with external parties such as law enforcement, vendors, and the media. Everyone has questions but not everyone has answers. Breach coaches should be masters at restoring order and keeping accurate communication flowing.
3. Rolodex of Specialists
Access to third-party agencies and resources can be critical during an incident response. Developing relationships with these partners, vendors, and experts before an incident occurs is important but sometimes overlooked. You don’t want to find yourself on hold with your firewall vendor’s 1-800 support line, or spend hours researching law firms while you’re losing precious time and money to an attacker. A breach coach comes with a list of trusted relationships and contacts to handle nearly every situation. Through a breach coach, you not only gain access to these resources, you can also cut out the valuable time it takes to vet vendors.
4. Proven Incident Response Plans
Incident response plans are the cornerstone of professionally handling an incident. Whether your incident response plan is a shining example or non-existent, a breach coach can work with what you have (or don’t) and fill in the gaps. While you may be struggling to simultaneously learn, implement, and evaluate your existing incident response plan, breach coaches have already internalized their plan. Beyond a plan, breach coaches should also have all the forms, templates, briefs, and other documents that enable them to execute the plan.
5. Familiarity with Laws and Regulations
It would be unrealistic to expect every breach coach to be a lawyer. However, a prepared breach coach should remain aware of the legal and regulatory requirements around incident response. This expertise can save you from unexpected fines and litigation. In particular, notification management has some important legal ramifications that should not be ignored. A breach coach should make you aware of when and how to let the appropriate parties know about a breach, or when you’ve reached a situation with legal or regulatory implications.
Conclusion: A Breach Coach Delivers Under Pressure
Ultimately, having a coach on your side is invaluable. Good breach coaches bring plans, forms, contacts, and cheat sheets as effective tools for the job. They’ve also seen variations of problems. When something new comes up that no one has seen before, breach coaches are better equipped to adapt and tackle the issue.
To see what other steps you can take to improve your incident response tactics, check out our threat hunting and cyber exercises blogs.