Does your organization know what to do if law enforcement came knocking on your door?
Honestly, we have work to do to be prepared for such a situation. Our organization knows to direct the news and the messenger to our Legal and IT teams. Both teams know how to understand the message and findings, understand impact to consumers and us, inform our cyber security insurer & exec branch, and prepare for response and corrections. We are in the process of defining our process regarding who all to call first, record incident details, in parallel stop the bleeding, inform customers, fix the issue and build prevention procedures to avoid a bad day like this etc. We have made progress; we aren't just there yet.
I'd love any advice from you, Scott, and others on what you recommend organizations should do to prepare for such a situation, and areas to work on to prevent having a bad day.
Similar to Chirag, we have improvements to do with our planning and preparedness. Where we have done some things - we have policies in place to know how to react, what we need to do, notifications with regards to breach, and our Privacy/Compliance team puts efforts in to understand national and international laws. We use this to improve our overall readiness, such as hard drive encryption and other measures.
Another thing that we've been doing is tabletop exercises. We've been conducting about 1 per quarter with different scenarios. We include IT, HR, and Legal, plus any necessary individuals with focus on our exercise topic. We use this to improve our processes and better overall preparedness.
Great question from Scott and a great reminder that every organization needs to be prepared for this situation. While larger organization have security, communications and compliance positions, many smaller companies do not. Regardless the risk of a cyber breach has no boundaries. Your first defense is having good established information security controls along with heightened awareness of all employees. Even with these best practices, a breach can and likely will happen. I agree with other IT Pack members that this scenario is not an IT issue. It’s a business issue. And as such the business needs to embrace the reality and include all aspects of the business to prepare and protect the organization. Table Top exercises are a great way to discuss and determine how a plan can be executed and where gaps exist. I also recommend that every organization have a third party cyber security organization working with them. These companies are focused on cyber and extend a 24x7 watch of your data and your enterprise. Something that most companies don’t or cant do. Also don’t forget about cyber liability insurance. This new type of coverage is very affordable and can pay for itself many times over in the event of a serious cyber breach. Bottom line is to be prepared, stay informed and perform drills, and leverage the expertise of a cyber security partner.