All business leaders, including those on executive boards and committees, are expected to prepare their corporate responses to security incidents ahead of time, rather than react when an incident occurs. This piece provides some foundational guidance
for executives, detailing exactly what is expected of them before, during and after a security incident.
Incident Response: Guidance for Executives
Organizations are responsible for protecting a variety of confidential business information, all while adhering to an assortment of compliance and regulations. Regulatory agencies are levying fines and sanctions for lack of data protection and poor incident
response (IR). Organizations are now facing above-average pressure to defend their systems and data from accidental breach and deliberate outside attack.
All leaders across the organization, including those on executive boards and committees, are expected to have IR scenarios planned and their corporate responses prepared ahead of time, rather than simply reacting when a security incident occurs. The following
six steps provide some foundational guidance.
1. Participate in Tabletop Exercises
Leading in times of crisis is an executive management duty. Failure to come to a consensus on key policy decisions during an incident (e.g., whether to pay a ransom or hire outside expertise, how and what to communicate to key stakeholders, etc.) causes
stress, confusion and mistakes.
Regular executive tabletop exercises that present the most likely incident scenarios and enable executives to role-play responses is a necessary component to being prepared.
Management at the highest level should be expected to help define the top, most likely loss/attack scenarios and participate in regular executive-level tabletop exercises to test assumptions, unify policy decision-making and verify the completeness
of response playbooks.
2. Contribute to Incident Playbooks
Incidents often occur at inconvenient times. Outside attackers deliberately choose dates and times when the business is distracted or vacationing. Management must have a playbook that enables the organization to take the first steps to respond smoothly
and quickly.
Many people in the organization will be asked to lead in a serious incident, but few have been through real battle conditions. Without an incident playbook, “learning on the job” will create confusion and delays and lead to mistakes. Playbooks
should include:
- Who to call/notify.
- Which outsiders should be brought in.
- Who should be involved and take responsibility for the various roles.
- Which bridge lines, call leaders, meeting scheduling, war rooms, etc., should be established in advance.
When an incident is declared, the first steps are to secure the safety of individuals and systems and stop the bleeding. Teams must identify the initial source of the intrusion and shut down related components (e.g., workstations, compromised credentials,
servers, websites, etc.) to close whatever holes caused the incident. Executives can participate here by keeping the team focused on the task at hand. They should also request a rough estimate of impact (best case, worst case, most likely) to be used
as a basis for planning next steps.
DOWNLOAD: Essential Guide: Ransomware Prevention and Response
3. Get Help Lined Up
Significant incidents spread quickly through the organization and out into the business world. Various business and department heads will need to be mobilized. Some examples include:
- Corporate communications to help communicate with employees, outside entities and the public.
- Customer relations to help with customer notification or credit monitoring letters.
- Finance to help pay any bitcoin ransom or to change budget and spending forecasts due to unexpected expenditures.
Outside vendors with previous experience will also need to be used. Statements of work will need to be negotiated and on the shelf so these experts can quickly assist in the investigation and remediation phases. Some examples include:
- IT and forensic specialists to help analyze existing data from incident response tools and logs to assist forensics.
- Outside legal staff to help with attorney-client privilege and any impact to consumers across state or national boundaries.
- Cyber insurance firms to ensure incidents are covered appropriately. Cyber insurance companies like to limit payments. It is vital to contact them early if you
expect to get full reimbursement.
4. Control Information and Pacing
Clear and accurate information is seldom available in the early stages of an incident. Executives should avoid making firm or detailed statements to the outside world that will have to be walked back later. Instead, allow the situation to evolve.
As details of the data and systems impacted become clearer, seek guidance regarding regulatory reporting. Pay particular attention to when the notification timeline “starts ticking,” meaning the timeline doesn’t start on the day you
first learn about the incident. You are allowed time for investigation, analysis and confirmation.
To preserve attorney-client privilege and control side-channel leakage, it is a good idea to have legal counsel and corporate communications control all information flow (externally and internally).
It’s also important to resist the desire to ask for frequent updates from the technical team. Frequent meetings force key workers to focus on status meetings with business executives rather than getting up-to-date answers and making progress on
incident containment and response.
5. Ensure All Incident Artifacts Are Preserved
Be aware that conversations, meeting notes, emails, documents, etc., associated with the incident may be discoverable. All those involved in the initial response, repair, investigation and eventual remediation must be aware that incident artifacts cannot
be arbitrarily destroyed or altered.
Executives should ensure the IT group, in cooperation with the legal department, places the appropriate legal holds and secures copies of all artifacts during and after the response.
6. Manage Post-Incident Fallout
Incidents often have long tails. Executives must manage the post-incident fallout and strike a balance between transparency and legal exposure for any statements admitting guilt/culpability. They must also pay for the extra costs incurred via budget realignment
and engagement with cyber insurance companies.
READ: What Security Teams Want to Know About Responding to Ransomware Attacks
Executive’s Role in Incident Response
The time to start planning to respond to an incident is now. Executives across the organization should:
- Help define the most likely incidents and their potential impacts for scenario planning.
- Identify key management decisions that will have to be made ahead of time and include these in tabletop exercises.
- Work with partners: In conjunction with your internal security team, retain an outside tabletop testing firm to develop specific scenarios that will take executive management through key decision points to build a consensus.
- Identify departments impacted: Create a cross-functional team to identify who specifically is impacted during a typical incident and how. Have a checklist of response expectations for each department that includes preparing and practicing their
incident response playbook and working on outside vendor statements of work.
- Focus on situational awareness and good communications: Be sensitive to the needs of internal and external stakeholders and what is communicated to them, as well as any regulatory obligations and timelines.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.