“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.” — NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014.
Last week’s cyber attacks against two major corporations serve as important reminders that a cyber breach is an inevitability in this day and age, and that a company and its leadership need to be prepared.
Yet as we have learned, “preventive” measures are simply not enough.
The bad guys are too far ahead of the malware curve for that.
We have also learned that there are no such things as quick fixes in the cyber security world.
Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems really trump reliance on a “50 foot high firewall” alone.
But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.
What are the essential elements of a Cyber IRP? Why are IRPs so important to your organization?
The Organizational IRP Paradigm: Basics and Important Initial Questions
For assistance with these questions, it is helpful to review The National Institute of Standards and Technology’s (NIST) “Computer Security Incident Handling Guide,”6 which notes:
Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.
In short, the NIST provides the raison d’être for an IRP: preventive measures are necessary, but not sufficient, to sustain operations in the face of the omnipresent cyber threat. A response capability, and a plan for executing it, is necessary and sufficient. It is important to note that each element of an effective IRP has multiple sub-elements, and multiple levels of complexity. Resultantly, effective IRPs must not and cannot be “one size fits all.” They will differ depending on an organization’s size, complexity, and industry sector, as well as on the types of personally identifiable information (PII) stored by the organization, and where that data is stored.
However, prior to examining the intricacies of an effective IRP, we need to focus on the questions that directors, officers, CIOs, partners, and other senior executives must ask about their company’s IRP prior to learning that the inevitable has become reality–that “we’ve been hacked.”
Those questions become apparent in light of the ultimate goal of responding to a cyber threat: “get back in the game (safely)” as soon as possible in order to keep your customers, investors, and reputation intact. An attendant goal is to demonstrate to egulators, such as the SEC, OCIE, FINRA, or FTC, that you have paid attention and planned ahead. The questions, then, include, among other things:
For the uninitiated, a cyber “event,” according to the NIST, is “an observable occurrence in an information system or network.” A cyber “incident” is a disruptive occurrence, a “violation of computer security policies, acceptable use procedures, or standard security practices”.
In a recent book “Incident Response and Computer Forensics” co-authored by Kevin Mandia, founder of security consulting firm, Mandiant, the definition of “incident” is simplified:
“…any unlawful, unauthorized, or unacceptable action that involves a computer system, cell phone, tablet, and any other electronic device with an operating system or that operates on a computer network.”
In sum, a cyber “event” may ultimately be ok if it is determined, either by intrusion detection/surveillance systems or trained cyber technicians, that the event is something akin to “normal.” It follows, then, that if following detection, an event rises to the level of a cyber “incident,” it needs to be investigated further according to an IRP. Because if it is not “normal,”it could result in catastrophic consequences if not properly and fully identified (network-wide), promptly addressed, and quickly remediated. Examples of incidents include denial of service attacks launched against a network, spear phishing attempts aimed at distributing malware within a network, nation-state hacks, or cyber extortion attempts.
Once the above questions have been asked and answered, an organization and its leadership are ready to respond to the inevitable discovery that “we’ve been hacked.” Instead of “Now what?,” the answer is “Now let’s immediately invoke our IRP.”
So, what does an IRP look like?
Click here to read the entire white paper: The Importance of a Battle-Tested Incident Response Plan
Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation. He has substantial experience in the representation of public companies and their directors and officers in shareholder class and derivative actions, as well as in internal investigations. In particular, Ferrillo has coordinated numerous internal investigations on behalf of audit committees and special committees, and handled the defense of several significant securities class actions alleging accounting irregularities and/or financial fraud. Ferrillo also regularly counsels clients in the growing field of cybersecurity corporate governance, which is an increasingly important part of a Board’s enterprise risk management function.
