Hacking of organizations’ systems is becoming increasingly commonplace, even with advancements in security practices. To mitigate risk, a company must have an enterprise-level, cross-functional incident response plan that is rehearsed and practiced. In the event of an incident a company with a rehearsed plan can avoid delays and mistakes, minimize conflicts between functions, and ensure regulatory, legal and contractual reporting requirements are met.
Take Preventative Action
No one can predict when or how a cybersecurity breach will occur, but organizations should take active steps to prepare. The following five actions can help ensure an organization’s cyber-readiness.
1. Adopt and continuously optimize a formal cybersecurity program:
While any program should be tailored to industry and regulatory schemes, generally the program must have the following core components.
- Assign responsibility for cybersecurity to chief information security officer (CISO) or other senior executive
- Ensure board is engaged and regularly briefed on cybersecurity matters
- Establish written information security policies addressing relevant industry standards or regulations
- Periodically test and audit these policies and document follow-through
2. Conduct a risk assessment
- Identify the types of sensitive data you process and store
- Formally assess and inventory where on your systems sensitive data is held
- Identify threats and vulnerabilities to sensitive data
- Analyze how sensitive data is currently protected (how is risk being mitigated)
- Document costs/benefits of additional security measures, and agree upon a mitigation plan setting timelines and allocating necessary financial, personnel, and technical resources
3. Manage third-party risks
- Identify vendors and other third parties with access to or control over your systems or data
- Ensure third-party access is strictly limited to business need
- Develop procedures for conducting cybersecurity due diligence on vendors
- Review contracts with vendors to understand their obligations in the event of a breach
4. Train your employees
- Provide regular cybersecurity training to all employees (from top management down)
- Ensure employees understand relevant threats and good cyber hygiene practices
- Test employee understanding through realistic simulations (e.g., mock phishing emails)
- Rehearse incident response plan with all relevant stakeholders
5. Develop and maintain an incident response plan
- Identify members of response team and define their roles (as discussed further below)
- Classify types of incidents that will trigger the plan and how they will be escalated internally
- Identify external parties that should be notified and articulate when/how notifications should be made
- Provide contact information for pre-vetted outside resources (external counsel, cyber-forensics firm)
- Refine plan based on lessons learned from each incident
For a deeper dive on the development of a cross-functional incident response plan, please read: 5 Preventative Steps to Manage Legal Risk Following a Cybersecurity Breach
This post was prepared with the assistance of Madonna Kobayssi in the Dubai office of Latham & Watkins.