Chief Technology Officer Ronan Brennan visited the popular TSAM conference in Boston last month – in this series of five blogs he outlines some of the key issues he discussed with attendees.
The firms with the best and most pro-active cyber defences are often the worst responders if their defences are actually breached. Why so? Because a breach is new to them and they are immediately thrown off kilter by the attack, unless of course, they have rigorous and frequent table-top exercises to prepare for such situations.
So it’s ironic that the firms that respond best are probably those that had an attack in the last year – the imprint of the lessons learned are burnt hard into their response psyche.
At TSAM Boston we heard that the no.1 lesson that arose in the post-mortem/lessons-learned meeting after a cyber-attack was to call outside counsel (OC) as soon as a breach was suspected. So why call your OC? And why call them first?
If cyber breaches are new and rare to you, knowing exactly what to do and when may not come naturally. Your external counsel, on the other hand, is working with many of your peers, and they will have an immediate playbook that they bring to the table regarding how to respond.
Your General Counsel and CCO have natural conflicts that are difficult to steer around in periods of stress; it is precisely times like this that you need the calm, clear and unambiguous view of your OC and their plain talking view on what needs to be done.
The OC can handle quite a few things that will free you up to do the essential and immediate work of understanding what happened, the full scope of the breach and the impact on clients. For example, the OC can immediately engage your insurance agents.
If appropriate the OC can inform applicable law enforcement and state authorities. This is a critical benefit as your communications with the OC are privileged. This allows you to disclose in full all of your fears, which in turn allows the OC to make the correct and appropriate disclosures to the proper authorities within the legislative timelines mandated by the scope and geo-nature of the breach.
Your OC should also be able to recommend an excellent cyber-event forensic analysis firm to fully understand what happened and the full breadth of the attack.
So how does one prepare for the correct response to an attack, without actually experiencing one for real? Simple – you engage in regular table-top exercises and implement short/no-notice war games to prepare the broader team for the exact scenario you hope will never happen. Ideally, you will engage your OC in these table-top exercises and work with them to develop a cyber war chest with call sheets and an immediate-actions plan for handling an event. Theory is great, but practice and experience beat it every day of the week!
Finally, after each table-top/war game exercise ensure you hold a lessons-learned debrief session and a post-mortem on the exercise to identify weaknesses in the response and preparation.
You need good defences, you need pro-active defences, but you also need to plan and be prepared for the worst-case scenario of a breach and ensure that your team are ready and not caught in the headlights like a startled rabbit.