Best Laid Plans
“CyberInsuranceInsights” is a Blog Series that shares ideas, advice, and experiences from the BlueVoyant Professional Services team. The blogs discuss the lessons learned from assisting clients navigate post-breach insurance claims and pre-breach preparation.
The famous quote from John Steinbeck’s novella, “Of Mice and Men”, is adapted from Robert Burns, “To a Mouse” poem; “the best laid schemes o’ mice an’ men…often go awry”. This quote doesn’t apply to cyber security planning. Studies have shown that a proactive approach to cybersecurity greatly reduces the chances of business interruption when an incident turns into a breach. It is high time for organizations of all sizes to take a proactive, defensive stance when it comes to cybersecurity. You must plan as if you have already been compromised, take a threat actor’s view into your organization, and prepare for the inevitability that you will be targeted and breached.
A threat actor’s view into your organization – while a bit unsettling – should help you assess:
- Have you performed any assessments to determine your risk level?
- Are you accurately measuring your cyber risk?
- Are your personnel properly trained to defend and respond?
- Do they understand what’s expected of them to prepare and/ or remediate incidents?
- As a leader, are you prioritizing your cybersecurity roadmap to address risks appropriately?
Adversaries are going to get through your layered defenses eventually. No matter how high you build your walls, they will eventually get over them, but there are steps you can take to make yourself less attractive to threat actors. You don’t want to be a quick and easy target. You need to secure your enterprise.
Planning is a crucial cybersecurity activity - the question of whether or not you’ll be a target isn’t a question at all. It’s not “if” you’ll be targeted, it’s “when”. Incident response planning allows you to develop both a strategic and a tactical plan for an incident. Your plan must include an examination of organizational information and security policies, and should be aligned with the organization’s objectives.
When it comes to policies, your plan should outline in detail how your organization will respond to incidents. Once you have a plan, then you can begin to develop playbooks for specific incidents. Playbooks work like an “if/then” flowchart. For example, a ransomware playbook could include “If we are hit with WannaCry, then we will do 1, 2, 3, etc.”. Playbooks can help you plan for fraud incidents, insider threats, and more. Each playbook should include actual step by step details about how the organization needs to respond to those particular incidents.
A proper plan will outline how you plan to accomplish and perform necessary tasks, such as a network isolation or host containment. Planning for a variety of scenarios will arm your organization with the actual step-by-step process necessary to make the proper decision under pressure. When the heat is on, you want to have a plan instead of panic.
Robust IR Plans will take into account the multiple business divisions, such as finance, legal, and HR. For example, when an incident strikes, the plan should ensure that the chief financial officer, the general counsel, the head of HR, and all personnel are aligned and coordinated so nothing is left up to chance. Don’t simply talk about the “what ifs” and the responsibilities. Use a written plan that’s been tested through a tabletop exercise so that everyone knows their role and responsibility.
As you build out your IR Plan, there are several key components to consider: a threat classification system, internal and external roles and responsibilities, processes for responding to incidents, and internal communications.
Classifications and Severity Matrix: Understanding whether an incident has a low, medium, or high impact on business operations will determine the severity and response. Using a matrix can help you triage.
- Low level: minimal impact, minor loss of operational efficiency
- Medium level: data at risk of exfiltration and may have been compromised, operations impacted
- High level: service disruptions, sensitive information exfiltration, data compromise
Levels should be assigned once you understand what has been impacted - from the asset type to the scale and scope of the threat.
Cyber insurers can help you prepare. Insurers are offering proactive services to encourage organizations to develop these plans. In addition to incident response panels, insurers are building proactive panels. This model allows insureds to access experts who can help with the pre-breach preparation. In fact, some insurers offer financial incentives to increase the uptake. The benefits are tangible; insurers position its insureds as better risks and in turn, they may reduce losses and claim payouts.
Further, the matrix outlined above mirrors the underwriters’ criteria they factor into the risk evaluation process. Underwriters consider the impact an event will have on business operations and try to predict the possible frequency and severity of particular events – especially the current persistent threat of ransomware attacks.
It is imperative for you to take an analytical approach and an honest assessment of whether or not your current cybersecurity meets industry standards. Using tests and controls, you can ensure that your organization is more fully prepared, with policies and processes, to efficiently and quickly respond to a breach.